So for anyone who hasn’t heard yet, the internet is broken.
No, that’s not hyperbole. Anyone claiming otherwise doesn’t understand the scope of the problem, namely that now all data that has passed through any website running a vulnerable version of OpenSSL for the last two years is “suspect”. Potentially compromised. Not only that, but any SSL certificate (specifically, the private key thereof) stored on, transmitted via, or used by any site running a compromised version of SSL is also potentially compromised.
That means, in effect, there is no way of verifying any website on the internet is, in fact, who it says it is.
SSL is a bad system, it always has been,1 but this goes beyond just data leakage.
That’s it, in other words. Game over. Patching won’t help, changing passwords won’t help, reissuing certificates won’t help. SSL itself is fucked.
The reason this spreads so far beyond just the immediately affected sites has to do with the shitty trust model SSL is based on, coupled with the scope of effort that would be required to truly clean up all potentially compromised certificates (basically a mass revocation of certs at the root level, effectively blacklisting every single SSL site on the internet). You’re talking a concerted effort across browser makers and the companies that issue SSL certificates in the first place that could take down millions of sites. The likelihood of this actually happening? Basically nil.
We haven’t felt the real pain from Heartbleed yet, I guarantee it.
The funniest part about all of this?
As the Gizmodo article mentions, because OpenSSL is open source, the introduction of what is literally the biggest security hole in the history of computing can be traced back to its author.
A kid at some university in Germany.
That’s right, shitty code featuring known flaws that would get you flunked out of CS 101 broke the trust model the entire internet is based on.
Welcome to the future.
I think the thing that pisses me off most about this vulnerability is that it’s so fundamental and so far-reaching, that it’s pretty much the equivalent in the tech sector of a drug manufacturer forgetting to put active ingredient in their medicine, and selling two years of sugar pills.
If this had happened in literally any other industry, governments all over the fucking would would be passing legislation and setting up regulatory bodies, issuing fines and, potentially, prosecuting for criminal negligence. It’s true that no one is likely to die from Heartbleed, but still. The vulnerability–and the reaction to it–is endemic of a wider problem in tech, which is the fact that the industry still acts like a bunch of pretentious teenagers who think South Park libertarianism is the height of political thought.
This is not about changing people’s passwords. In fact, it’s not about any action taken by any single user. That’s what makes this scary; it represents a fundamental failure of the prevailing INFOSEC notion that security is some magical thing that will emerge out of rugged individualism and free market forces. No one is fucking accountable for this shit, and until someone can be, it will keep happening again and again and again and again.
Imagine a car manufacturer that released cars like software developers release code. People would fucking die and the company would be shut down and its execs would be in jail.
Or, again. That analogy isn’t quite right because of the deaths, so…
Imagine if a major bank released an ATM that, if a certain series of keys were pressed on the keypad, spat out bills randomly with no record it had occurred. And it did this for years, and no one noticed. The money wasn’t deducted from anyone’s account, and no one at the bank noticed a whole lot seemed to go missing all the time (“that would never happen!” not in banking, no, but again, this level of obliviousness is equivalent to the awfulness of the Heartbleed code). And this happened for years and years and years until suddenly one day everyone realized there was double the money in circulation that there should be, and the entire economy collapsed.
That’s the level of bad we’re talking about here, not just in consequences but in the complete lack of care given by all the people and processes that should have stopped it happening.
It’s fundamental, it’s bullshit, and it’s going to cost millions (at least) to remediate.
It is, in other words, entirely indicative of everything that’s wrong with this industry.
- Case in point: what is the primary purpose of SSL? Anyone who answered “encryption”, bzzt! Wrong.