Why Patching Heartbleed Doesn't Fix The Security Time Bomb

Heartbleed, the bug that has preoccupied thousands of websites and millions of users over the past week, may well have been the biggest security flaw in internet history but it is unlikely to be the last. Our entire security infrastructure is a mess because both ordinary people and elite security experts often harbour fundamental misunderstandings about security, design and privacy.

Alarm picture from Shutterstock

Heartbleed is a bug in OpenSSL, a library used by programmers to encrypt data on the web. Hackers may have used the bug to find your password for Facebook, Instagram, Google, Yahoo and possibly thousands of other websites.

Security guru Bruce Schneier has called the situation "catastrophic" – an 11 on a scale of 1 to 10. And the craziest part is, Heartbleed is so simple that you can explain how it works in a six-panel comic strip.

Secure is not a fixed state

One serious problem is that many people think about security as a fixed state. We categorise some things as "secure" while others are "insecure". Money in the bank is secure. Money in the sock drawer is insecure. When you see the little padlock icon in your browser, the website is secure. If there is no padlock, it's insecure.

This is nonsense. Security is a spectrum. Making data more secure is expensive and inconvenient. So we compromise. We accept some risk to avoid high costs and frustrating access policies.

This confusion is exacerbated by our unrealistic views about the designers and engineers who build websites. We imagine designers who logically deduce optimal designs from a comprehensive list of requirements and testers who systematically rule out every possible bug.

But design isn't like the maths problems you did in school where finding the answer is simply a matter of manipulating the information given. It's a creative process that involves improvising as many systems have no meaningful requirements in practice.

A system like OpenSSL has an unknown, potentially infinite number of exploits. You can spend billions testing it and still not know for certain whether you have found them all.

Expensive locks on glass doors

Organisations appear to regularly spend enormous sums on fancy-sounding security technologies that are trivially easy to bypass. Take, for example, the millimetre-wave body scanners now found in many airports. These cost $US180,000 each and are used to create, save, store, and transfer naked images of you.

Even though they cost a fortune and significantly undermine our privacy, you can walk through a body scanner with a gun or a third of a kilogram of plastic explosive. Or, since children are not subjected to the scanners, you could just hide something on the kid and retrieve it on the other side.

Online, we primarily lock our data using passwords. But passwords just don't work very well. Virtually everything that's easy for you to remember is easy for others to guess. Everything that's hard to remember has to be written down somewhere, and then someone else can find it. Hackers can also trick you into revealing your password or exploit password reuse to compromise your "password ecosystem".

And hackers are not the only ones seeking to get their hands on your data. You may well wonder why you should bother having strong passwords when government agencies including the NSA systematically undermine encryption standards to more easily access your data on Facebook and other websites. Of course, hackers can exploit the same weaknesses created by the NSA.

Your password future

For most of us, opting out of online life because of the NSA or Heartbleed is unrealistic. However, there are some reasonable precautions you can take today.

First, you should get a password manager like LastPass or 1Password. These make it more convenient to use stronger passwords, and a different password on every site. Of course, if the password manager itself is hacked, you're toast.

Use your new password manager to generate unique, strong passwords and enable two-factor authentication wherever possible. This adds an extra layer to logging in, such as sending a code to your mobile phone.

In the long term, it is important to recognise that individuals, companies, the media and politicians will use fear, misinformation and bad logic to try to sell you ineffective security systems.

They will imply that security is a state and that everything must be secure; therefore, security systems are worth whatever money, disruption, inconvenience and downright abuse involved.

This is a trick to keep you from simply weighing the costs and benefits. The truth is, airports do not need body scanners to stop hijackings and your internet service provider does not need to keep a record of every website you ever visit just in case it might be relevant to some frivolous copyright infringement lawsuit at some point. The NSA does not need access to the entire world's communications to look for terrorists and the police do not need unmanned aerial vehicles to spy on citizens. These are all bad trade-offs — they are expensive, invasive, abusive and most of all ineffective.

You should expect more security problems like Heartbleed in the future. Your average software developer, like your average person, does not really understand security. Smooth-talking salespeople con them into buying ineffective security systems and government agencies intentionally undermine security tools and treat privacy as the enemy.

For all the anxiety it has caused, Heartbleed has also spawned a public conversation about online security, encryption and how security systems are designed and tested. It reminds us that even the best system designers and security experts are human beings who make mistakes just like the rest of us. Next time you make a mistake, perhaps you can take solace in the fact that as bad as it is, you probably haven't compromised half the internet for two years.The Conversation

Paul Ralph is Lecturer in Information Systems at Lancaster University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


    /quote "get a password manager" /unquote.
    Then the NSA or H4ck0rZ can hax into the password managers and still have your passwords.

      Lastpass encrypts locally...so they can hax into your machinez to get your lootz but haxing the serverz yields zer0.

      Which the author mentioned two sentences later.

      And you don't need an online password manager. KeePass is a good example: it works offline, but there are cross platform apps, even for mobile devices. So you can back it up online, you can sync it between devices with online services... or you can keep it offline and only on devices you have physical access to. (Plus since it's open source, its code can be relatively easily reviewed, like in 2012, when a vulnerability was very publicly found by an external group and then very publicly fixed.)

      But having a password manager means it's easier to have different passwords for different sites. It's unfortunately common practice to reuse passwords between websites, which means that if an account on one website is compromised, you have to worry about other websites.

      By properly taking advantage of a password manager, you protect yourself from more threats than if you'd simply taken security advice from some random sarcastic and unhelpful commenter on the internet.

      I note that Lastpass was one of those subject to the Heartbleed bug.

      I learned the hard way about password reuse some time back when four of my accounts were compromised. Because I used dodgy personal info that I couldn't recall for Hotmail, I couldn't retrieve the account. Eleven years of email were permanently lost.

      I made a list of strong passwords for my important accounts using upper and lower case, numerals and special characters and used two webmail accounts to have reset information sent to. The webmail accounts use each other for reset information. After a while I found I could memorise the passwords. For unimportant, casual accounts with nothing worth losing or having stolen I use a common password.

      I looked at password managers but none of them work across all my devices and operating systems.

      Now I find at least three accounts, including one of my webmail accounts, were subject to Heartbleed...

        Have you considered KeePass? It runs on Windows, OSX, Linux and BSD (though the *nix ports aren't particularly nice to look at), with third-party Android, iOS, Blackberry and Windows Phone ports available. There's also BrowsePass, which lets you host your password database(s) on your own web host and access/unlock them remotely from any modern web browser. (There's a version of this available as a Chrome app, too.)

        Incorrect. From http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

        In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

        "were subject to Heartbleed..."

        Well don't jump out a window. Heartbleed is a very serious vulnerability to theoretical attacks with a low likelyhood of success for your details, that existed for a window of time that has now passed, unless you selected some extremely untrustworthy services if they haven't already patched, prior to everyone trying their hand at this.

        As for the last 2 years, you shouldn't dwell on this any more than you did before the press. It is pointless. See Schrodinger's cat.

      1) The developers of password managers tend to be better at security than other organizations. 2) If you're really paranoid, use a local-only password manager that does not sync or backup to the cloud.

    Great article Paul, thanks for this! I'm really interested in this bit:

    "But passwords just don’t work very well."

    It's almost universally accepted in the security industry that passwords are an ineffective form of security (and has been for quite some time), yet nobody seems to know what we should be doing instead.

    Have you got any thoughts on this? I'd be really interested in seeing a Lifehacker piece on what the alternatives are, their respective pros and cons, and what you think will come next.

    Last edited 15/04/14 4:35 pm

      Biometric identification. A drop of blood to log into facebook please.

      Instead of protecting everything in the same way (i.e. passwords), I think we need different kinds of security in different areas. Passwords are fine for low-priority things like online games. Higher priority (like email) can get away with two-step verification. High-priority public venues like airports and border control can use biometrics. Banks are the real problem as their current combinations of passwords, personal information and custom security devices do not defend against man-in-the-middle attacks.

        Man in the middle attacks against banks is a real problem for banks.
        Consumers get unmatched-anywhere-else indemnity for such losses by any kind of provider worth using.

      " what the alternatives are ... what you think will come next"

      PKI. It's worked for decades. Addresses the printer+post issue that all your online services still have to navigate at some point for real-world services. It also lends itself to 3rd party services for development - ie your digital certificate providers only verify one side of the connection? Really? When the speed of light is on offer?

    "if an account on one website is compromised, you have to worry about other websites."

    That's a vague way of describing the actual issue.
    Your email account is the goal. It's where all your other accounts will be identified and your password reset requests received. If it offers 2-factor, use it.

Join the discussion!

Trending Stories Right Now