By now, you most likely have heard about this Heartbleed bug that has affected over half a million of the world's most popular websites due to a programming error within OpenSSL. You can read more about the bug at the link above, but in essence it allowed unauthorized users to steal the identity of a server and decrypt all traffic that was coming to or had been to the server in the past. This was hotly debated for a few days after Heartbleed's discovery, but has since been confirmed:
The demonstration by Cloudfare that it's possible to extract private SSL certificates means that out of an abundance of caution, administrators of sites that used vulnerable versions of OpenSSL should revoke and replace old certificates with new ones as soon as possible. Given the huge number of sites affected, the revelation could create problems.
So this is a pretty big deal for sites that rely on OpenSSL to encrypt their traffic. The question that users should be asking themselves is which sites are affected? The infographic below should get you started with the more popular web services out there.
Src: visual.ly - click to enlarge.
While this infographic only has two dozen or so websites, they are among the largest networks on the planet, and as a result, this problem can only be defined as "catostrophic." Combine this with the bad year that American's have had in cyber surety given the PRISM fallout with the National Security Agency and American consumers are understandably skittish; and stocks took notice.
After the announcement on April 10th, Google stocks have dropped $32, Amazon $15, and poor Bitcoin just can't catch a break. The government isn't oblivious to the effect either as The US Internal Revenue Service is urging citizens to continue filing taxes after the Canadian Revenue Agency shut down their online operations on Monday.
While Heartbleed poses a huge security risk, we can take solace in the fact that it would take an inordinate amount of time to download any actionable information using this bug. It would require thousands of 64KB chunks of data to piecemeal information together; however, it is a scare that should not be ignored. Obviously, individuals need to change their passwords and organizations need to update their software; but this illustrates a very real concern about our growing reliance on computer assets. One where increased vigilance, and vulnerability sharing, is required:
"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
Unfortunately, we can't eactly trust the government to legislate in our best interest (see: The 2012 Cyber Security Bills), and Open Source programmers are prone to mistakes that affect the world as a whole - so what can we do? Act in our own best interests voluntarily through programs like NIST and Homeland Security's Critical Infrastructure Cyber Community and not wait until revelations like these cause us to doubt our cyber security.
Be proactive and establish methods like Perfect Forward Secrecy or Two Factor Authentication. While the door to your home offers limited protection, we still lock it every night; and just as our cyber security measures are not impervious to assault, we can still thwart most assailants through simple, common-sense, security measures.