Yesterday, the maintainers of OpenSSL, an Open Source toolkit that helps encrypt communications between a server and its end users, announced a critical security bug in previous versions of the software. Essentially, the critical bug makes it possible for anyone to see your credentials & other information transmitted to a website secured by a SSL certificate – or “HTTPS” (including your username, password, credit card information, and other data you transmit) whenever you login to a particular website that is affected by the bug. (You can read more details about the security bug at http://heartbleed.com and by reading CNET’s article here).
Brian Krebs, a well known and well-respected security researcher, has also written about the security flaw on his blog.
Here’s another way to think about it:
- User A has a user account, and logs into a website that is affected by the OpenSSL security bug. User A then proceeds to purchase something, and enter his mailing address and credit card information.
- User B does not have a user account. Even though User B does not know User A, nor is scanning any of User A’s internet traffic, user B happens to be scanning publicly available information (due to the bug) at the same time User A logs into the website.
- User B obtains User A’s username and password, and is now able to log into User A’s account. Furthermore, using the same scanning technique (without even logging into User A’s account), User B obtains the credit card information, mailing address, and any other data that User A transmits through the “secured” website.
Even though this bug was only discovered and announced by security researchers yesterday, it is possible that this bug could have been exploited since the affected software was first released (in 2012 – two years ago)!
What Types of Services are Affected?
Not only are normal websites affected, but other services such as VPN connections and Email are also affected. If you connect to your network securely with a VPN connection, for example, that could be affected.
Several firewalls that provide VPN services for nonprofit organization and business networks are affected! For example, the latest version of pfSense as of this writing, a very popular open source firewall, is vulnerable. Based on BSD 8.3 which comes with OpenSSL 0.9.8 by default (which is not affected by the bug), pfSense 2.1 adds OpenSSL 1.0.1 (which is affected by the bug). This means that if your company or nonprofit organization allows employees to login securely to your network via VPN, your entity’s data could be compromised.
Other firewalls affected include Watchguard, a proprietary firewall, which has stated that some of their devices are affected, as well as some SonicWALL products.
In a phone call I received today from a SonicWALL engineer, I learned that although Dell’s SonicWALL firewall (their NSA) appliances are not affected, their SSL VPN (SRA) appliances ARE affected. “The SonicOS Enhanced 5.8 version, as well as the 5.9 version, are not affected by Heartbleed,” he said. “The only Firewall software that WAS affected was an OS update that was still in pre-release beta not available to the general public.” The engineer went on to assure me that Dell was working on a public Knowledge Base article that would be published shortly.
Other types of connections could include connecting to your email service provider (sending and receiving emails).
OpenSSH services are not affected (so you can still use SSH to securely login to your servers), as OpenSSH and OpenSSL are different libraries.
This has major implications
As of this blog post, I am seeing unconfirmed reports that Yahoo, LastPass, and other high-profile websites and cloud service providers were vulnerable (they were affected by the security bug), although LastPass responded to CNET’s request for comment, indicating they patched their systems early this morning.
LastPass also indicated data (passwords) stored on their servers are also encrypted with a key that is stored on the end-user’s computer – so data stored INSIDE LastPass (passwords to various websites) could not have been stolen.
Regardless, users of any affected websites should assume that their credentials have been stolen for logging INTO those websites – including LastPass. As a result, the only responsible remedy is to change their passwords on the affected service.
You can read LastPass’s full statement here: http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html. I agree with their suggestion that users should generate new passwords for websites that they visit: “We recommend that LastPass users generate new passwords for their most critical sites.”
In summary, in a perfectly security-minded world, 3 things would happen very quickly, in this order:
- Server and website operators will install the most updated version of OpenSSL, which fixes the security bug.
- Website operators will regenerate new SSL security certificates for all websites, email connections, and VPN connections that were affected.
- End users (if you’re reading this article, you are an end-user) will change all of their passwords used on any website they have ever used.
My last point above sounds very annoying and time consuming. It is. However, that is the only way end-users can be sure their various user accounts are safe. Unfortunately, however, changing your passwords is a moot point until you know a website is safe.
As of this writing, updated websites (that are safe to use) include (but are not limited to):
- Google (and all of their various services)
- And of course, our own website and related services
Take a look at my blog post from last year on Password Security & User Accounts for advice on password security and what constitutes a good password.
(Updated at 3:45pm on 4/8 to include a link to Brian Krebs’ blog. Updated at 3:15pm on 4/9 to include information on Watchguard and SonicWALL firewalls. Updated at 4:10pm on 4/9 with a statement from Dell SonicWALL.
Finally, I updated this post on May 5 to clarify what type of data could be obtained).