"SSL" and "TLS" refer to the transport protocols that are used widely across the web to secure communications between end users and servers. Websites, web applications, online services, portals, and even some virtual private networks (VPNs) use SSL/TLS. The use of these security protocols cuts across all industries: healthcare, retail, communications, banking, social networks, web email, utilities, gaming and many others.
SSL/TLS has had many problems in the recent past, and we will address some of the continuing problems, and what to do about them, in a future blog post. For now, however, the most important thing is for companies to fix The Heartbleed Bug, which is a very serious vulnerability disclosed this week that could easily lead to data breaches in which there is no encryption safe harbor available to the targeted company.
It turns out that the OpenSSL library, which enjoys wide and pervasive use in many SSL/TLS implementations, has a serious flaw. The vulnerability management firm Codenomicon described the nature of The Heartbleed vulnerability as striking at the heart of cryptographic protections by allowing for the compromise of secret keys:
The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A new version of OpenSSL has been released and the bug can be fixed by updating to the latest version. If updating is not feasible, then prior versions of OpenSSL can be recompiled to remove the bug.
Fixing the bad code is not enough, however. Companies that have fixed the vulnerability should approach their Certificate Authorities for new certificates and private keys. This is critical because of the real possibility that secret keys have been compromised as a result of the Heartbleed bug.
Once new certificates are in place, end users should create new passwords for protected accounts where OpenSSL had been used.
The Long Tail of Heartbleed
Many systems, other than websites, however, may contain the Heartbleed vulnerability for a long time. This is because things such as home automation and routers, network devices (including enterprise network devices), and even industrial control systems, are not readily updated and simply won’t be a priority. Unfortunately, Heartbleed will likely remain a risk for a long time to come.