When I first had the idea that was the seed for this blog, it was inspired by the so-called ‘Snowden effect’, in other words the impact that Edward Snowden’s revelations have had both on IT security and on IT in general. I was taken over by events when news of the Heartbleed vulnerability broke.
Much has already been written on Heartbleed, including some excellent descriptions of the issue itself. Given the magnitude of the potential impact, I’m a little surprised that other long-running news stories displaced it so quickly in the mainstream media. On the other hand, the fact that so many newsrooms picked up on the story, together with so many members of the public (not just those in IT) is remarkable in itself.
The fact that a security vulnerability has a sexy name, its own logo and web-site goes a long way to explain how the news of the vulnerability spread. Given the seriousness of the problem, Finnish company Codenomicon took the decision to give the vulnerability a brand in order to help spread the word, and produced an excellent, accessible description on a dedicated site. This worked spectacularly well; within hours word had spread far and wide. However, Codenomicon were not the first to find the bug. Neel Mehta of Google discovered the vulnerability, and Google’s security team created a fix whose timestamp puts the discovery on or before March 21st 2014.
Communication was not as clear as this in all cases. My first thought on hearing of the problem was to check the safety of my current account. The bank had posted a message on their site, but it was not displayed on or linked to their landing page – I had to search for it. The message was prominently displayed after logging on, but had the site been vulnerable that would not have been a prudent thing to do. Other sites did worse still, either being vague about their vulnerability or patching status, or not mentioning it at all.
Different ways were found to spread the word. CloudFlare made an announcement to the effect that they thought it very unlikely that a site’s certificate could be exposed by the exploit. However, they also issued a challenge to hackers to try and breach some of their own, unpatched servers, and obtain their certificate. Three hours later, it had been done (for those interested in how, there is an excellent write up here). News of this went viral, at least in the IT community, scoring a second victory for the use of marketing in raising awareness of the risk. Less conventional methods were also used; the prize for the most easily digested explanation of the problem must go to XKCD.
Opinions vary on what the medium term impact of HeartBleed will be. Many sites remain un-patched. The ‘reverse heartbleed’ problem, that the server end of the connection can request SSL heartbeats and therefore gain information from a vulnerable client, means consumer devices are at risk. In the US alone, this means that there are over 4 million Android phones that need to be updated with a patch, with estimates of up to 50 million worldwide. The result of the CloudFlare challenge means that certificates will need to be revoked and reissued, but browser support for certificate revocation protocols is patchy at best, and the size of the Certificate Revocation Lists (CRLs) is set to balloon, potentially harming internet performance.
Attitudes to security in general may also change as a result of Heartbleed, but again there are conflicting signals. According to a recent survey , many security professionals believe that the Snowden revelations had a positive effect on the industry. It goes on to say that security is being viewed as a ‘business enabler’. This seems unlikely, but I do believe the argument that Snowden has been a trigger for businesses to better understand potential threats. This will continue in the wake of Heartbleed. Post Snowden, it had been reported that one in six businesses were delaying or cancelling cloud contracts over concerns about security. This number will now presumably increase. Two weeks ago, an SSL connection was generally assumed to be safe; now we know that assumption was wrong.
So, what, if any, positives are there?
Amidst the hysterical stories, vague statements and conflicting advice, the Heartbleed web site stands out as a clear piece of technical writing, and an example of effective communication. Also, by giving the vulnerability a brand, Codenomicon made it easy to find related information (Heartbleed is a unique enough search term to ensure this). The bar has been raised for future communication of these types of issue.
Two engineers working independently discovered the problem, and, having access to the source code, were able to confirm the root cause, create a patch and test it. Transparency enables scrutiny, and scrutiny leads to improvement.
Those who cannot remember the past, are condemned to repeat it. We should all strive to avoid making the same mistake twice. The addition of new automated tests each time an issue is found will prevent that issue happening again. In addition, tools can be used to create custom analyses of code such that other instances of a newly discovered bug can be found.
Funding for OpenSSL
OpenSSL is currently maintained by a handful of dedicated volunteers, but many large organisations have benefitted from using it. It would be nice to think that one or more of these organisations will now help to provide reliable funding to the OpenSSL project.
One thing is certain. As with the Snowden effect, part of the impact will be additional pressure on IT department budgets as CIOs reassess their security needs. It is hardly surprising that a majority of security professionals think Snowden was good for the industry, which is very much at the top of the agenda. Even before Heartbleed, businesses were spending more on IT security, but I doubt that further extra money will be on the table.