by Dilip Mistry
Finnish Company Codenomicon along with Google researcher Neel Mehta have recently discovered a flaw in OpenSSL, a form of the web-based encryption technology Secure-Socket-Layer (SSL) and Transport-Layer-Security (TLS). The technology is used widely all over the Internet to encrypt sensitive personal data with a high potential for fraudulent use, such as passwords and credit card details in e-commerce, instant messaging and email websites. The encryption service is characterised by the https:// in the website address and the small padlock in the top left-hand corner of a web browser whenever a secure transaction of information is taking place.
The Heartbleed Bug affects only the OpenSSL 1.0.1 and 1.0.2 beta release form of the encryption service, but this represents over 60% of the Internet. Codenomicon’s mantra, “It’s what you don’t know that makes you vulnerable”, is extremely poignant. Not only has the Heartbleed bug been undetected for more than two years since the implementation of this version of OpenSSL in December 2011, but no trace is left when this vulnerability is exploited.
A patch to fix the vulnerability has been widely released and adopted by the majority of the websites affected. The problem is that material fraudulently intercepted during the period the Heartbleed Bug went undetected can still pose a major security threat. As well as passwords, the flaw has also left websites’ digital certificates open to exploitation by fraudsters. If a website’s digital certificate was misappropriated before the vulnerability was removed, it can then be altered to misrepresent itself as a different website with a different identity. Whether organisations remove and reissue the digital certificates, or wait for their expiration before updating them, there is still a period of time before the risk of fraudulent use is mitigated.
The main concern for individuals is the time difference between the start of the vulnerability, the public announcement of it and the complete implementation of the patch to fix it. Due to the nature of the Heartbleed Bug any attempts to fraudulently misappropriate passwords and other secure details will have left no trace, whether these attempts were successful or otherwise. The vast majority of websites will have now updated their security and the recommendation is to change the passwords on your accounts. This can seem like a mammoth task, but instead of changing every one of your passwords, have a look at this list of which sites were affected by the Heartbleed Bug, which ones have updated their security patches and which ones you need to change now.
This bug is particularly relevant for mobile users with the growth of m-commerce and serves as a reminder that when purchasing from inside apps in particular, it is not always possible to see whether the connection is secure or not. Whilst the vulnerabilities in OpenSSL have demonstrated that it is not always enough to trust a padlock and https:// there is often little or nothing in an app other than the reassurance from app developers that it is secure. Little wonder then that mobile is one of the fastest growing areas for fraud and identity theft.