On April 7, researchers at Google® and Codenomicon™ announced identification of a memory handling security flaw in OpenSSL, one of the most widely used technologies for protecting private data exchanged over the internet. It has been labeled the “Heartbleed” bug as a way of expressing that it exploits weaknesses in the implementation of the “heartbeat” synchronization signal exchanged between end-points of a secured connection. OpenSSL is an open-source implementation of the Secure Sockets Layer and Transport Layer Security (TLS) cryptographic protocols for exchanging information over networks.
Since OpenSSL was believed to be sound implementations of the protocol and has been available for use without royalty or fee for years, it is one of the most pervasively used encryption libraries across the internet. This unpleasant data vulnerability surprise plainly underscores that businesses must protect consumer data applying a defense-in-depth strategy.
The bug allows third parties to surreptitiously and undetectably download up to 64 kilobytes of data from a server’s active memory on a regular and frequent basis. Putting that in context, a typical password or asymmetric decryption key consumes only a few hundred bytes at most, meaning that a third party might obtain tens of thousands of user credentials in a single execution of the exploit.
Websites such as Yahoo®, Flickr®, and others were vulnerable to exploits of the bug, while others such as Facebook®, Amazon®, and Google® were not, at the time of the announcement. Many at risk websites have or are in the process updating their OpenSSL libraries to the version that fixes the bug.
The issue is so grave that a website dedicated to documenting its details and offering recommendations has been established at heartbleed.com, and many commentators discuss its origins, impacts, and offer advice to consumers regarding why, how, and when to change passwords they use online.
As egregious as this situation is, the webcomic XKCD® by Randall Munroe captured the situation best. In a recent strip entitled “Heartbleed” where two characters remark, “Heartbleed must be the worst web security lapse ever.” “Worst so far. Give us time.” While this is a profound risk to consumer’s private data, it would be naïve to believe that other, equally or greater bugs and breaches aren’t in the future. The even greater shock is that this could happen to OpenSSL, which experts would have believed was proof against this kind of situation occurring.
First, it is open source, meaning that cryptologists and application development professionals have full access to all the source code and have subjected it to broad crowd-sourced peer review. Second, OpenSSL has been professionally reviewed by certification laboratories with such extreme rigor that it has been awarded National Institute of Standards & Technology (NIST) Federal Information Processing Standard (FIPS) 140 certification (see Certificates 733, 918, 1051, 1111, and 1747 at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1747) , which is the commonly accepted “gold standard” for cryptographic implementation.
Heartbleed underscores a self-evident truth about our use of technology. Even when every effort has been made to assess vulnerabilities and address, the combination of cost management and rush-to-market that drive online business models unavoidably introduce unexpected risks to online businesses and the customers they support. Relying on a single no-cost/low-cost source of data protection for online data exchange (OpenSSL) resulted in exposure of an unknown number of user credentials, even to the point that a rash of identity thefts may be unavoidable.
While there is no certain solution for the Heartbleed situation yet, it is equally self-apparent that exercising defense-in-depth is a strategy worth considering. For example, the data itself might be encrypted before it is passed to the communications line encryption protocol, with cryptographic keys that only allow decryption once the data is moved outside the receiving webserver. While integrating layers of data protection in addition to SSL/TLS in this way increases complexity and cost to an online application, it also can significantly decrease the risk when a failure in one, such as Heartbleed in OpenSSL, occurs.
It is for this reason that Prime Factors has expanded EncryptRIGHT®, its flagship cryptographic key management, encryption, and tokenization middleware, to protect data exchanged between endpoints both with TLS and an additional proprietary strong encryption implementation. This is much like having seatbelts, shoulder harnesses, and airbags in modern automobiles – any one might fail to protect in a given situation but in combination, they offer the greatest chance for survival in the event of a disaster.
Prime Factors Blog
Subscribe to Email Updates
Posts by Topic
- Enterprise Data Protection
- PCI Data Encryption
- PCI Data Security Standards
- encryption keys
- data breach
- PCI Compliance
- HSM Management
- Crypto Key Management
- PCI DSS
- Payment Card Personalization
- healthcare security
- key management
- health information security
- PCI DSS 3.2
- PGP Encryption