If you've ever done banking or bought something online, chances are you've noticed the little “lock” icon sitting in your web browser's address bar. That lock is extremely important. It means that your connection to the website is protected with something called SSL/TLS, an encryption scheme that prevents eavesdroppers from seeing every page you view, every password you enter, and every credit card number or email address you submit through a form.
Now, imagine that this security measure—more specifically, a popular implementation called OpenSSL—has had a critical flaw for the past two years, allowing sensitive data to leak from around two-thirds of all the servers on the Internet.
It sounds nightmarish, but that's exactly what a group of security researchers revealed on Monday when they presented a security hole called “Heartbleed.”
The bug has been hidden for at least two years, and it allows an attacker to yank tiny chunks of data, ad infinitum, straight from the working memory of any server running a vulnerable version of OpenSSL. Those chunks can yield a website's certificates and encryption keys, which the attacker can use to decrypt traffic, collect passwords and credit card numbers, and even masquerade as the website itself, using the credentials to spread malware or trick users into spilling more secrets. Worse, the two year window means that if a site's encrypted traffic has been previously collected—say, by an intelligence agency—the eavesdropper could now retroactively decrypt and read that content using the stolen SSL keys, and there's nothing the site or the user can do about it. The bug is named “Heartbleed” because it involves a hole in OpenSSL's “heartbeat” extension, which lets the server maintain a persistent secure connection.
So what is the impact?
Security researchers are describing this vulnerability as nothing short of catastrophic, and for good reason. OpenSSL is the default cryptographic library used for SSL/TLS on two popular web servers called Apache and nginx, which run 66 percent of all servers on the Internet. Notable destinations that have been affected include Yahoo, Flickr, OKCupid, the FBI's website, and virtual private network services like HideMyAss. According to a master list posted to Github around mid-afternoon on Tuesday, 629 of 3,700 SSL-using sites in the top 10,000 are vulnerable to Heartbleed.
Several sites have updated to the patched version since then, including Yahoo, which issued a statement saying it has “made the appropriate corrections across the main Yahoo properties,” including “Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr.” OKCupid, the image sharing site Imgur, and the FBI's website also appear to have reissued their certificates, according to scans run late Tuesday evening.
It's not just websites: the Heartbleed bug potentially affects anything that uses OpenSSL, including many chat and email servers. The developers of Tor, the popular anonymous web browser, advise that anyone wanting private or anonymous communications “might want to stay away from the Internet entirely for the next few days while things settle.”
But perhaps the scariest aspect of Heartbleed is that it leaves no trace, making it hard to tell how many adversaries have been secretly exploiting it in the two years since it was introduced. We know that U.S. and U.K. intelligence agencies have been collecting “Upstream” Internet traffic in bulk, so it's certainly possible they've known about the bug and have been using it to unscramble the encrypted web communications the NSA has most likely been storing in its Utah Data Center. Foreign governments and organized cybercrime gangs that sell stolen accounts and credit cards in bulk are also possible culprits. Readers of the tech site Ars Technica reported having their accounts hijacked just hours after the bug was disclosed; the site has since patched the vulnerability and rotated its SSL certificate.
The developers of Tor, the popular anonymous web browser, advise that anyone wanting private or anonymous communications “might want to stay away from the Internet entirely for the next few days while things settle.”
What must be done?
Unfortunately there's not much the average person can do—at least not until the vulnerable sites update to the latest version of OpenSSL and re-issue their security credentials. Users will definitely want to change their passwords on all of the affected sites, but only after those sites refresh their security. If you change them before the sites are updated, there's no guarantee your new passwords won't also be compromised.
There's one more thing site owners could do, however. In the long run, implementing an encryption technique called Perfect Forward Secrecy might mitigate some the damage caused by this kind of security disaster. It works like this: normally, if an attacker—say, the National Security Agency—is capturing a site's encrypted traffic en-masse, all of that data can be retroactively decrypted if the attacker manages to steal the site's SSL key (something the Heartbleed bug makes very much possible). But with Perfect Forward Secrecy, a compromised key wouldn't allow them to “go back in time” and read everything. In other words, it means a compromised encryption key would only expose the current session, not your entire history of pages viewed, passwords entered, and so on.
Yan Xu, a technologist for the Electronic Frontier Foundation, explains: “In the aftermath of yesterday's events, it's clear that forward secrecy is necessary to protect against unforeseeable threats to SSL private keys. Whether that threat is an existing or future software bug, an insider who steals the key, a secret government demand to enable surveillance, or a new cryptographic breakthrough, the beauty of forward secrecy is that the privacy of today's sessions doesn't depend on keeping information secret tomorrow.”
In the end, maybe this all will be a learning experience. But most of us will never look at that lock icon the same way again.