Heartbleed: what the bug means for you
Canadians planning to file their taxes online today were able to postpone the dreaded task for a day, after the Canada Revenue Agency shut down its online services temporarily over security concerns raised by the discovery of a serious security flaw known as the Heartbleed bug.
If you've noticed a website switch from http to https, that was an indication the site was using a secure protocol. Most of the world's web servers – including those used by the Canada Revenue Agency – provide this protection using a software library called OpenSSL. This week, experts discovered a vulnerability in OpenSSL believed to have existed for years. Not a malicious virus, rather a flaw in the library, this bug known as Heartbleed now has organizations around the world working to secure their services.
Writer Jelena Damjanovic spoke to Seth Hardy, senior security researcher from the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, about the threat posed by the bug and measures we can take for protection.
What is the Heartbleed bug?
Heartbleed is an implementation bug in OpenSSL, which is a cryptographic library used to secure the web, email, IM, and other services on the Internet. This is a major bug – it has been estimated by researchers at Codenomicon that OpenSSL runs on about two-thirds of the world's web servers.
Why should we be concerned about it?
The bug allows an attacker to read the memory of a server using a vulnerable version of OpenSSL. This may include usernames and passwords, other data being protected, or even the cryptographic keys that allow all secure data to that computer to be decrypted. Heartbleed is a particularly bad bug because it doesn't just allow an attacker to reveal the data being protected by OpenSSL, but potentially all data encrypted by that computer to any user.
It affects the web, email, chat programs, VPNs (virtual private networks), and other services as well. Many people are affected, especially because of the move to keep data in the cloud – more people are using online services, which are likely at risk from this.
Is there anything that can be done about it?
The bulk of the responsibility is on the system administrators running vulnerable servers – they have to upgrade OpenSSL to a fixed version and regenerate the cryptographic keys that may have been compromised.
While the fix may be a simple software patch, a lot of review and testing has to happen, especially for large services, before it can be rolled out. Cryptographic keys will need to be regenerated, which further complicates the matter. Patch adoption rate is never 100% immediately – this will still be a problem for a while to come.
People can check whether a site is fixed at http://filippo.io/Heartbleed/. Sites that are not fixed should not be used. If a user is concerned that they have submitted passwords to a vulnerable site, they can change the passwords they used on that site.
However, there's no point for a user to change their password until the bug is fixed, so they should do it immediately afterwards.
More information is available at http://heartbleed.com. (For details specific to U of T visit Information Technology Services.)
Still haven't filed your taxes? At three pm April 9, 2014, the website of Canada Revenue Agency was updated with the following statement: