Encryption Is Our Best Bet for a Secure Web, and Now It's Bleeding
It’s not as if Heartbleed broke the internet; it just exposed it even further as being a flawed, unsafe place to store information.
Encryption is rightly touted as the best way to stay secure and private online. In a world where the NSA has developed powerful tools of attack that jeopardize digital privacy to the fullest extent imaginable (and then some), encryption is essential for scrambling messages to prevent—or at least deter—prying eyes from snooping.
During a talk at the planet’s mecca for cool brands and cool bands, SXSW, Edward Snowden reiterated that “encryption does work,” adding: “We need to not think of encryption as an arcane, dark art, but as basic protection for the digital world.”
That’s not to say that encryption is a surefire win, because there are a multitude of ways that even encrypted communications can be compromised. In fact, Snowden called for stronger encryption in that very same SXSW keynote. So while the goal is to make encryption as easy to use as possible, keeping up with best practices that make encryption effective in a changing cyber-landscape currently requires a fairly nerdy level of attention. Especially in light of recent events.
For example, the computer security community was shaken up last year when revelations of NSA backdoors into popular encryption standards began to make headlines. A company called RSA, that had long been an industry-standard for encryption services, was paid $10 million dollars to essentially break their own software—in a clandestine way that only the NSA would be privy to. And, as Reuters reported last month, that backdoor is bigger than anyone had previously imagined.
But beyond clandestine government backdoors, there are bugs within encryption protocols—just like any other type of software. Enter the Heartbleed bug, which has made a large swath of the internet vulnerable in a big way, by eroding the reliability of a widely-used encryption standard called OpenSSL. This bug has apparently existed within the platform for two years.
Now, if you’re not up on encryption standards and their respective popularity, Meghan Neal wrote an excellent primer on the Heartbleed bug for our sister site Motherboard, where she puts the size of this technical clusterfuck into perspective: “A recent survey from the internet security firm Netcraft showed that 66 percent of websites run on the open source web servers Apache and Nginx, which use OpenSSL by default.”
To learn more about Heartbleed’s impact on the internet, I reached out to Christopher Parsons, a postdoctoral fellow at the Citizen Lab, which is an “interdisciplinary laboratory” at the University of Toronto that primarily studies and investigates “Information and Communication Technologies (ICTs), human rights, and global security.”
In an email, Chris told me: “Heartbleed is a significant vulnerability because a vast number of services rely on OpenSSL to secure client-server communications. In effect, the vulnerability would let someone query a server and extract highly sensitive information (e.g. password/logins, private decryption keys, and other sensitive information stored in a server's memory) without it being evident to the administrator of the server. The result is that Heartbleed gives third-parties a way to access highly sensitive information without administrators' or service-users' knowledge or awareness.”
This, of course, is a major problem. Security aficionados have run mass sweeps of websites to determine just how vulnerable the internet has become as a result of Heartbleed, and some of your favourite online haunts may well be affected; this includes RedTube, Yahoo, OkCupid, Imgur, and Flickr. But not Facebook, Amazon, YouTube, or Wikipedia. So if you plan on paying for a premium subscription at either RedTube or OkCupid this week, perhaps you should hold off until these sites get their shit together; but feel free to order a bunch of books and stock up your farm in Farmville, with purple cows and orchid fields, or whatever it is that people buy in that game.
Imaginary Farmville accessories aside, if you’re a Canadian who felt like doing your taxes online this year, well, Heartbleed has other plans for you. Yesterday the Canadian Revenue Association announced that it would be shutting down all of their public, secure sites until they can figure out what to do with their new friend: the gaping security hole. Right in the middle of the tax season, too. Good going, Heartbleed!
Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:
“A significant amount of highly sensitive tax-related personal information is passed through CRA's online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA's services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”
It’s not clear if anyone was able to exploit the CRA’s systems before they could shut down entirely, but so far there have been no reports of taxpayer information being jeopardized or stolen. According to the CRA, this problem will be fixed “over the weekend,” and has graciously vowed to not penalize taxpayers for this interruption. As for how they can patch the hole in the their system, it’s a simple process that comes with some fine print pertaining to user security. In Chris’s words:
“In most cases it should be relatively straightforward: update to the most recent version of OpenSSL, revoke old certificates, and regenerate new public keys with newly issued certificates. However, this doesn't resolve the problem of someone using the previously captured private keys to decrypt traffic they have previously intercepted, nor does it solve the problem of a third-party having captured users' logins and passwords. It also doesn't fix the problem of a third-party capturing other sensitive information that may have been temporarily placed in the server's memory.”
Since this bug has been kicking around in OpenSSL for two years, there is an enormous amount of confidential data that has been “encrypted,” yet vulnerable, and sent through the internet’s many tubes. If a malicious party has been privy to Heartbleed for any amount of time, then there’s nothing anyone can do, retroactively, about any nefarious data collection or interception that may have taken place. So if the NSA, for example, has an archive of traffic and data that was encrypted with OpenSSL spanning the past two years—stored in one of their data centres—then it’s now open season for all of that presumed-to-be-protected information (assuming they didn’t already know about Heartbleed).
But that’s the big, scary, the U.S. government is watching you angle. For the average user, you should maybe worry about hackers busting into your OkCupid or Imgur account and matching that password with your Facebook or Gmail. If you’re a one-password type of person, then this is a real concern. Chris suggests that “users would be advised to change their logins across sites; first they should change logins/passwords on *non-affected* sites that share credentials with affected sites. Next, once vulnerable sites and services are patched, they should change their passwords on those vulnerable sites.“
As you can probably tell by now, a bug as big as Heartbleed causes a ripple effect of broken trust online. The bug has dented the integrity of OpenSSL, and when you consider that alongside news stories about NSA backdoors in RSA encryption, which are still stinging cryptography enthusiasts the world over, it’s evident that even some of our most complex and robust encryption standards are vulnerable to massive exploits... and the consequences of that are a bit unnerving.
Ultimately, shake-ups like this tend to make tech companies wisen up a bit. After all, even though Yahoo was vulnerable to Heartbleed when the bug was announced, they claim to have already patched everything up, and are making moves to have their free webmail service completely encrypted. Granted, it’s hard to trust a company that let Heartbleed fuck their whole game up—but at least they’re trying to combat the seismic forces of government surveillance and pervasive encryption bugs with large-scale encryption.
In a world where massive, code-cracking spy agencies appear to have a “catch ‘em all” approach to digital data collection—expecting any sort of privacy online is a fool’s game. But with massive encryption bugs like Heartbleed in the mix, it can be tempting to return to an analog world of handwritten notes and in-person visits—if you’re at all concerned about the security of your information.
That said, even though privacy online may be a total illusion, and keeping your credit card number away from hackers and scam artists can seem like a roulette game, many of the web’s major players avoided the Heartbleed effect. And, it’s not as if Heartbleed broke the internet; it just exposed it even further as being a flawed, unsafe place to store information much of the time, and it makes me wonder, personally, when we’ll discover the next bleeding heart-shaped hole—smack dab in the middle of the internet.
It probably won’t be long.
This post first appeared on VICE.