The race is now on to re-secure thousands of cloud services, service providers and an unknown quantity of end user client systems following the announcement of the SSL Heartbleed security flaw this week.
One of the key steps in this is the need for concerned service providers and website operators to issue new digital certificates which encrypt traffic between users and a Web service online services, and New Jersey-based Comodo has already issued `tens of thousands’ of new certificates over the last day or two.
It is thought that the Heartbleed vulnerability, which allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, might also allow an attacker to obtainthe private key for a SSL (Secure Sockets Layer) certificate. With that, an attacker could create a fake website with an SSL certificate that passes the verification test indicated by a browser’s padlock.
The flaw can also be used by an attacker to pull sensitive data such as recent user login details, in 64K chunks from a Web server.
According to statistics on web servers compiled by Netcraft, the vulnerability could affect as many as 500,000 websites using digital certificates issued by trusted certificate authorities.
One of the worrying aspects of the bug is that it is difficult to know if any hackers have actually used it, for no trace is left of any malicious access to a website. So it remains unknown at present if cybercriminals or state-sponsored hackers had been exploiting the flaw prior to its public release.
It is to be assumed, however, that if the flaw has been spotted by security professionals then it will also have been spotted by some in the hacker community.
The issue has not been helped by the fact that the normal approach to handling the discovery of such a flaw was, it appears, not followed with Heartbleed. Normally the security companies are advised at the same time and all work to create patches for the flaw before it is publicly announced. That way, the security industry as a whole could present a coherent defence against it.
This time, however, it appears that the normal disclosure procedure broke down and only two companies, Google and Cloudfare, were informed early and had patched their services before the public disclosure.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software, albeit in 64kByte chunks. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
As long as the vulnerable version of OpenSSL is in use it can be abused. Affected users should upgrade to OpenSSL 1.0.1g.
Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.