Getting to the Heart(bleed) of the Problem

University visiting scholar, research fellow discuss cybersecurity in wake of massive Web vulnerability.

April 16, 2014

By James Irwin

Heartbleed, a vulnerability affecting nearly two-thirds of the Internet, is raising all sorts of questions over how secure a “secure” connection really is on the Web. George Washington Today sat down with Cyber Security Policy and Research Institute Visiting Scholar Allan Friedman and research fellow Trey Herr, a second-year graduate student in the Columbian College of Arts and Sciences, to discuss the Heartbleed bug and the issues it’s created.

Q: What is Heartbleed, and how did the problem originate?
TH: Let’s say you’re a Facebook server and I’m a laptop. I come to you to establish a connection. When you do that there’s a protocol called a ‘handshake.’ This secures part of what’s called a secure socket layer (SSL) that enables a connection. The handshake produces a session key that allows the two machines to talk.

This Facebook session can last a long time. It’s inefficient for me to have to come back to you and do a new handshake every time I want to send data, so there’s a part of the SSL called a ‘heartbeat.’ It sends a ping between the browser and server at regular intervals to maintain the current session. Heartbleed is a vulnerability that exists in the code that establishes this heartbeat.

Q: What happened with the vulnerability?

TH: SSL relies on any one of a number of different libraries. One is called OpenSSL and that’s where the heartbleed vulnerability originated. The problem is that the code, as it was written, didn’t set a limit on how much information my computer can request from a server. An attacker can go to Facebook, request the heartbeat key and take every piece of data on either side of it, up to 64 kilobytes each time.

The major question regarding Heartbleed is the extent of the damage. "Most of the large companies affected quickly patched the vulnerability," Visiting Scholar Allan Friedman said. "What we don’t know is who was able to access what type of data in the narrow window between when the vulnerability was identified and the companies scrambled to patch it."

AF: Often that data is junk—random garbage. But there’s the possibility the attacker might be able to access usernames, passwords or sensitive content. Worst case: They can access the important secrets the Web server uses to keep all its data secure.

Q: How does this affect people and organizations?
AF: What’s rather dangerous is we don’t know what’s been compromised. Often when you have a vulnerability it will only affect a small number of people and you’ll be able to say a bad guy probably got a certain type of information. In this case, anyone who could move quickly could potentially get a lot of information because there was no limit to the amount of times you could try and pull information from the server.

Q: How widespread is the problem?
AF: It affects a huge number of websites, including social media and e-commerce. But, notably, almost no financial services sites were vulnerable—they use a different set of tools to protect personal information. The important thing is the software doesn’t affect data “at-rest.” It’s not about the data that’s sitting on a disk somewhere. This is all about data being used in real-time by a Web server.

TH: Unfortunately, knowing about this also means the cow is already out of the barn. This code has been in the OpenSSL library for about two years, which means at any point during that time, if someone knew about the vulnerability, they could have taken advantage of it.

Q: How difficult will it be to fix this?
AF: By now most of the companies that were affected have found out and have updated their software to close their vulnerability. But Web servers for large sites are very complicated and it’s not always as easy as clicking “update the software.” Those of us who use personal computers occasionally are annoyed by having to close out our windows before we reboot. Imagine how much more complicated that is on a server that’s still serving hundreds of thousands of people at a time.

TH: In terms of patching, there certainly are industries moving slower than others. There’s a large degree of fragmentation in the Android database, for example, with people using different versions of the operating system. Patching that is going to take time. The same goes for companies that have a Web presence and use OpenSSL but aren’t Web-centric organizations.

Q: What can individuals do?
AF: Mashable has a fairly comprehensive list of affected sites, and we may learn of certain websites that were more seriously compromised than others. It’s also important to remember your email password must be different from any other password you use. It’s very important for security—we use our email to recover account information for everything.

TH: And, if for some reason you haven’t updated your passwords on popular websites over the past few years, consider yourself admonished and go change them.