Consumers may well have lost sensitive data without even knowing it due to the high-profile 'Heartbleed' vulnerability discovered this week in the world's most popular software for managing secure e-commerce and other connections.
The vulnerability, officially known as CVE-2014-0160, affects the OpenSSL implementation of the Secure Sockets Layer (SSL) technology used to encrypt data between browsers and Web sites to facilitate the exchange of private information such as passwords and credit card details.
Detected by Google Security's Neel Mehta, the vulnerability involves the poor handling of TLS heartbeat signals, which allow a malicious outsider to take information from a client system in 64KB chunks big enough to contain an entire Web page, numerous pages of a document, or even part of a digital image.
This information could also include the encryption keys that form the basis of Web site security; a description by Codenomicon, a group offering a detailed description of the bug and its implications, describes those keys as “the crown jewels” that “...allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”
“Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed,” the group added. “Recovery from this leak requires patching this vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption.”
OpenSSL's short security advisory – and its fix for the problem with the release of OpenSSL v1.0.1g – belies the severity of the problem, which has been called a “ big deal” by security experts that have seen all manner of vulnerability in the past.
That's because OpenSSL is the default encryption toolkit for Web servers such as Apache, which singlehandedly runs more than half of all active Web sites. It's also more likely to hit Mac OS X and Linux systems, which tap into open-source libraries and are more likely to be running software that uses OpenSSL.
The implications for everyday Web users are significant, according to Ty Miller, principal of security consultancy Threat Intelligence, who warns that the ubiquity of OpenSSL may leave all kinds of devices vulnerable.
“The vulnerability doesn't only affect servers,” he said. “It affects any software that uses the vulnerable version of OpenSSL on your laptop, mobile device, TV, fridge, and so on....Now that the vulnerability has been released and confirmed to be exploitable, publicly available exploits are already being worked on and released. It won't be long before systems are becoming compromised.”
Security enthusiasts were scrambling to quantify the extent of the problem, which is said to have affected 1312 of Alexa's current top 10,000 web sites – ranging from Yahoo, Akamai, NASCAR, Gamespot, Creative Commons, and the Victorian State government to security firms McAfee, Symantec, Avast!, and others.
Website administrators must upgrade their OpenSSL implementation immediately, although experts warn that the need to re-issue digital certificates – a complex and painstaking process – will complicate things significantly.
“If your Web browser or email client uses a vulnerable version of OpenSSL and you visit a malicious SSL server, then you could have data stolen directly from your laptop without even knowing it,” Miller warned. “This could be anything from a photo of your cat through to your banking username and password.”
“Realistically, consumers won't be the direct targets since there is an enormous number of SSL servers on the Internet who will become the first victims. This vulnerability is likely to lead to large scale security breaches of organisations, cloud environments, and Web applications. But the arguably scarier part of this vulnerability is that it doesn't leave a trace.”