RS
How we failed post-Heartbleed
There’s no doubt Heartbleed was one of the most devastating events within cyber security throughout the last decade. Security and IT teams alike rushed to fix the vulnerability and the media frenzied. While the fact that it was so quickly addressed and brought to light was impressive, I was astonished about the fact that a huge amount of websites that were affected by Heartbleed regenerated their certificates with the same private key. If I were to tweet about this, I might have used #facepalm. While I was quite impressed by the mobilization of the internet to address the issue so early on, I was equally stunned by the total failure in the efforts to fix the problem properly.
Heartbleed – The Bare Basics (Skip if you understand Heartbleed and key-pairs)
Heartbleed was a vulnerability in OpenSSL that permitted attackers to access random blocks of memory from servers that were running OpenSSL. Seeing as we use OpenSSL to establish encrypted communication channels between different places, the servers running this software hold some significant secrets – explicitly the encryption keys for our communication: a huge deal. Simply explained, the process we use for setting up this encryption uses a key-pair - a private key and a public key. These two keys are bound and you cannot replace one without also modifying the other. Then we pay some blood money (and also use some fancy math) in order to obtain an SSL Certificate which we then use to affirm our identity when establishing a secure connection. OK, now to discuss what happened with Heartbleed …
The Victories
Heartbleed has been an incredible event from different angles; the extent of the exposure, but also the swiftness and range of the response. We have seen large segments of the internet organized to react in such a small amount of time which is mostly unparalleled. It could be that there is something in the air, or maybe it’s the sheer quantity of headlines that we’ve seen regarding breaches over the past several months, but people heard about this issue and then actually reacted. This is amazing; even if it’s taken people a few hours or even days, they rushed to attend to the problem in an impressive way. This was definitely an accomplishment on behalf of those who were publicizing the problem and for those accountable for the vulnerable hosts out there on the internet.
The Failures
The article I previously mentioned puts the spotlight on our failures regarding Heartbleed; the majority of those who responded did so in a way that indicated that we didn’t succeed to sufficiently educate the public as to what the actual issue was. The prospective impact of the Heartbleed bug was that your private key used during the initial SSL/TLS interaction could be compromised. The advice provided to rectify the issue was to replace your server’s certificate. This is exactly what many people did, but they still used the same private key. This only results in them being just as exposed as before making that effort. Lack of education is clearly the failing point here. It is the responsibility of those of us who have a deep technical understanding to fully explain the impact of major issues, such as this one, with explicitly concise and clear instructions in order to assist those who are new to the game. We failed to do so as proven by the unfortunate people who wasted their time by replacing their certificates but not generating a new private key.
To make sure I’m following my own advice, here is the cheat sheet for what you need to do for OpenSSL
1. Generate a new private key (2048 bits 'cause why not?)
openssl genrsa -des3 -out privkey.pem 2048
2. Create a certificate signing request
openssl req -new -key privkey.pem -out cert.csr
The Future
We are progressing! An issue was discovered, we reacted, the world took action. We just need supply some education in that process for future reference. Our industry is fantastic at indicating where things go wrong and where there are existing vulnerabilities, but one sector that needs improvement is the education and sharing of that knowledge in an easily palatable way. It’s key to remember that the smaller sized businesses are the ones who may be most susceptible as well as organizations that simply don't have the specialist resources or even the budget to decrypt all of the answers. Security is a problem that involves everyone and therefore it is our duty to arm the public with the essential basic knowledge to combat threats like Heartbleed when they hit, especially considering the catastrophic nature of this vulnerability. If history can teach us anything, there’s absolutely no doubt this won't be the last major security flaw, so let's all determine to keep these principles in mind; and ultimately, it will make our jobs a lot easier in the long term.