On Monday, internet firms announced arguably the most serious security problem the global network has seen, nicknamed ‘Heartbleed’: for the last two years, many users' ‘secure’ connections have not actually been secure at all.
But secure from what? Secure from whom? Is there a cat-stroking supervillain holding the moon to ransom while collecting our online banking passwords? Are the risks a bit closer to home, or is this all just marketing for some snake oil firewall software?
What has happened is that a widespread piece of software, OpenSSL, had a bug in it. OpenSSL provides the ability to make connections over the internet be ‘secure’. ‘Secure’ here means that no-one can read what is being communicated or change or delete it, and that there is some degree of certainty about the identity of the one person or computer on the other end of this connection.
This software is maintained by a small group of underfunded experts, but nevertheless is critical to the secure operation of almost every internet-connected server, desktop, laptop and mobile device.
OpenSSL makes no money: it is given away to users for free, as are the blueprints. That allows the boffins to look under the hood to check it really works. They did check. It wasn't working. What would happen if people couldn't do these checks doesn't bear thinking about.
Businesses across Britain currently have little choice but to rely on the current community of internet standard-setting bodies, volunteer-run software projects and security bug grapevines. These sorts of systems have many of the problems of the financial industry – ie. a potential market in insider information and over-sold protection products.
The situation is improving by the day, as the Heartbleed chaos has motivated reform and better funding for OpenSSL. It has also led to some public recriminations between operating system vendors and the internet standards bodies which design these secure protocols (of which OpenSSL is just the most widespread implementation), some going as far as to insinuate that the protocols have been made deliberately insecure by people working for national security agencies, though the burly bloke in the sunglasses who's just shown up in my office assures me that this is not the case.
For the last two years, it has been possible for (some) people to read passwords, online banking details, and private email messages sent over the internet, as though we had all been dictating confidential letters and then discovered they had been sent as postcards rather than in envelopes.
As yet, it hasn’t been proved that anyone has done so, but a lot more people now know that they can. In particular, it means it is much easier for a determined thief to impersonate you or your bank to each other online, take some of your cash, and leave you and the bank to fight it out in court.
What businesses need to do about this is upgrade the system software on all their computers, including mobile phones, and get their employees to change any passwords which matter. Unlike previous security bloomers, there's no published list of passwords doing the rounds on the 'Net, so it is important, but not urgent to shut this particular stable door. Businesses need to manage the upgrades and password resets for all the computers and people affected, but they do that as a matter of course; the tradeoffs for delay are just a bit different this time.
Err on the side of caution here: you may think you've got nothing to hide, but I've met dozens of people who say that, but sensibly won't tell strangers their PIN number or where their kids go to school – the sort of stuff you could work out by, say, reading their internet traffic for a few years.
This implies one of two important risks to bear in mind: we can compromise the privacy of our friends and family, even without the assistance of Facebook. The other is about weighing up the odds of fraud: if the bad guys (and girls) are able to use the illicit access afforded by Heartbleed to collect many small items of information about a very large group of people, such as dates of birth, mother's maiden names, last addresses, etc., the law of averages says some fraction of these people will disclose enough to be impersonated, and a fraction of this unfortunate group will have something worth stealing.
These internet vulnerabilities transform the economics of online fraud: change your passwords to make them pick on someone else. Heartbleed is perfectly serious, even if has been somewhat overhyped. The necessary countermeasures are fairly straightforward, and hopefully they will increase awareness so more people can protect themselves.
- Martin Keegan is a freelance software programmer who worked as head of IT for British sofware firms