For the past day and a half, the Internet has been abuzz about “Heartbleed,” a sinister-sounding security flaw that has rendered a massive chunk of the Web vulnerable to attack.
No less an authority than Bruce Schneier — a leading computer security expert, author and fellow at Harvard’s Berkman Center — wrote that the implications of Heartbleed are “catastrophic.” “On the scale of 1 to 10, this is an 11,” wrote Schneier, hardly a hand-wringing Cassandra.
Already a thousand explainer articles have been written about Heartbleed, which even has its own little logo. The flaw was only recently uncovered in OpenSSL, the standard encryption many sites and online services use to keep your username and password encrypted. At its disclosure, some 17 percent — or half a million — of the Internet’s secure web servers were believed to have been vulnerable to the attack.
In theory, a hacker can exploit the vulnerability without leaving a trace to access passwords, encrypted communications such as instant messages, and credit-card information. The implications for major publishers and online retailers is simply astonishing. Just changing a password is not necessarily going to help anything — here’s a fairly comprehensive list of passwords you should change (Facebook, Gmail), and those you don’t need to worry about (Amazon, PayPal).
Digiday spoke with David Chartier, CEO of security firm Codenomicon, about what brands and publishers have to worry about — and whether the press has gotten the Heartbleed story right so far. Excerpts:
What do big publishers and online retailers need to do here?
The key thing is if you have a Web presence, you need to find out if you’re using OpenSSL. It’s pretty simple: your IT department knows what they’re using. The good thing with this bug is the fix is pretty simple: upgrade to the new version with the patch and revoke your old encryption keys. Then get issued new encryption keys. If you don’t do that, the attackers theoretically still have your encryption key and are able to decrypt your traffic. Go through your vendor, who will issue you new keys. Once that’s done users can change their passwords.
Has anyone not done this or had any trouble doing it?
All the top Internet assets have already done this. They have processes in place to roll this out. They’re able to do this fairly quickly.
What if you’re a small online retailer without an IT department?
If you’re a small business, you might be better off shutting down — going offline — and don’t use it until you can get it confirmed from your service provider so you don’t have to worry about being hacked. At Codenomicon we only really deal with really large companies. All our clients seem to be on top of it. I’ve have people I know, friends running ecommerce sites, and they don’t know anything about anything. They need to contact whoever they’re getting their service from and ask them simple questions: are we using simple SSL? Have you upgraded?
It’s probably a good time to be a vendor providing these new encryption keys.
You can imagine the certificate providers are pretty busy these days. You have a huge chunk of the Internet asking for these certificates.
A lot of businesses can’t really afford to just go offline, though.
Those are really your two choices: Do the upgrade or turn the service off. The Canadian IRS closed their system. They needed to do quite a lot of work to do these upgrades to make sure no one was compromised. I think they took a prudent approach.
No one knew about this before last week. Are hackers having a field day right now?
It’s hard to say. I know a number of security firms have set up honeypots on the Internet to try to determine if there’s any activity out there. The challenge you have with this bug is that it doesn’t leave any forensic traces. After we hacked ourselves we couldn’t find any trace that we’ve been there. Unless somebody hacks a honeypot and the honeypot owner discloses that, it’s going to be very difficult to determine if it’s been exploited or not.
Has this been overblown, under-blown or appropriately-blown?
I say it’s an appropriate response given the severity of the threat. The Internet is a whole lot safer than it was a week ago thanks to the security community and the media.
So it’s now safe to buy things on Amazon and sign in to read the New York Times?
I don’t want to call out any individual websites, but I would say it’s pretty safe on Amazon.
Has the media gotten the story right?
I would say that a vast majority have gotten it pretty right. There’s been a lot of talk about how important it is you change your password. It is. But you have to do it at the right time. It doesn’t help to change it unless your SSL has been upgraded and you’ve been issued the certificate. Changing the password isn’t a fix in itself. But overall it’s been good reporting.