Heartbleed & OpenSSL — Do End-Users Need to Change Their Passwords?

Entrust

The discovery of the Heartbleed implementation bug that could attack certain version of OpenSSL has, rightfully, made global headlines. While this vulnerability doesn’t affect the certificates issued by trusted certification authorities (CA), the discovery has set end-users into a bit of “password panic.”

The crux of the issue is that services providers, website operators, software developers, etc., need to inform end-users about the status of their end-users’ credentials. End-users are wondering, “Do I need to change my password?”

In many cases, they do not as that specific Web server was not susceptible. In other cases, they do as the Web server has now been fixed.

HeartbleedPassword Changes Ineffective Until Fix in Place

While changing passwords is smart, it won’t do the end-user much good until the fix is in place. This introduces another scenario where organizations and end-users alike would benefit from transparency and clear, open communication. In other words, what is the status of their Web server?

What is the Heartbleed Bug?

Imagine an insect invasion in a house that goes undetected for a long time. When it’s finally discovered, it turns out insects have overrun the entire building. That house is the Web, and the insect is a bug called Heartbleed.

According to a website that charted its emergence, “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.”

Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private keys, names, passwords and content. An attack is not logged and would not be detectable. The attack can be from client to server or server to client.

Heartbleed is Not a Flaw in SSL/TLP Protocol

Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the certificate authority (CA) or certificate management system. Heartbleed is an implementation bug.

The bug impacts OpenSSL versions 1.0.1 through 1.0.1f. The fix is in OpenSSL version 1.0.1g. The 0.9.8 and 1.0.0 version lines are not impacted. OpenSSL 1.0.1 was introduced in March 2012, so the vulnerability is 2 years old.

An open-source standard, OpenSSL is one of the most popular Internet traffic encryption options deployed. Online services use it to protect customers and themselves.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” says the Heartbleed.com website.

In short, much of the Internet is an open book — and has been for some time now. According to Netcraft, the number of otherwise trusted sites infected by the bug sits at around half a million. A site available here allows you to test any website to see if it’s been affected.

The report implies that the bug has resulted in massive breaches of enterprise security, including the exposure of encryption keys and user credentials.

Throughout this debacle, one scary truth is emerging: almost everybody, directly or indirectly, will be impacted.

“On the scale of 1 to 10, this is an 11,” security expert and blogger Bruce Schneier said.

Entrust
Entrust

Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.

1 Comment

Add to the Conversation