On April 6, a Google security engineer named Neel Mehta, well-known for his ability to discover flaws and vulnerabilities in security software packages, reported that OpenSSL -- one of the commonly, if not most, deployed software packages in the world -- has a flaw. The flaw may allow an attacker to learn the passwords and keys used in the system and affect just about anything a typical consumer does: setting and using a home wireless hub, connecting to an Internet bank website, or logging to email, storage and social media accounts.
This sounds very serious, and I assure you it is. The security blogger Bruce Schneier said it very succinctly: On a scale from one to 10 in importance, this is an 11.
Now that I have your attention, let me give you the specifics. I will also explain what you need to do or can do as a typical Internet user. OpenSSL is a software package. It implements a protocol named secure sockets layer (SSL) that allows two computers to create an encrypted tunnel between them in order to exchange data securely, away from prying eyes. Not every secure connection uses OpenSSL software and not even every SSL connection uses it either. There are other SSL implementations, such as GnuTLS, MatrixSSL, PolarSSL and SChannel. Some of these packages are open source, while others are commercial or proprietary.
OpenSSL is probably the most widely used software package in the world. I would guess that about half of Internet-connected devices run OpenSSL.
The project started in 1998 and is managed by a group of software developers, now located in the United Kingdom and Germany.
Being an open-source project, their principal support is through donations and their efforts are volunteer-driven.
The software is free. Anyone, any company can obtain a copy and install it on a computer, router or device. That is one reason it is so popular.
The security researchers who found the flaw in OpenSSL package named it "the heartbleed bug." It works like this: Another OpenSSL-installed computer connects to your computer and tricks your computer to send some memory blocks to it. Unfortunately, the memory block will contain sensitive data, particularly encryption keys and passwords. The OpenSSL team fixed the software and published the new version within the same day. Does this mean the problem is over? Far from it.
There are thousands, if not millions, of computers that need to update their OpenSSL software. This will be a slow process. I am guessing all major banks, e-commerce, social media, email and cloud storage servers updated their OpenSSL software in the last 72 hours.
Unfortunately, they are not the only ones that need updating. Yesterday, Cisco and Juniper, two of the major networking equipment makers in the world, announced the flaw affects many types of networking equipment as well. Large routers that connect Internet hubs, home routers and VPN equipment that connects company offices are all affected.
OpenSSL is used in way too many places and types of the equipment, including phones. Furthermore, collaboration software is also vulnerable. The list is growing fast.
What can you do as a consumer? Run to change your password? Unfortunately, this is not going to help. Your software or firmware needs updating. This is not something a user is generally capable of doing. If you change your password and your software still has the "heartbleed bug," an attacker targeting you will learn your new password, too.
There is a funny t-shirt I sometimes see people wearing that reads, "I am a bomb disposal technician. If you see me running, try to keep up." This is how many security researchers feel now: just hope someone is not targeting you. The seriousness of this flaw cannot be overstated.
If your bank or email server provider updated its OpenSSL software, you are okay. It is very likely they did. This is especially true for U.S.- and Europe-based operations.
However, with other equipment where the automatic software updates are either unavailable or not practical, there seems to be one solution. That is to throw away the equipment, go to the computer store, get the new one and make sure it has the newest, bug-fixed OpenSSL version. This will take months, if not years, to weed out.
There is an important lesson here: OpenSSL is poorly funded and staffed. For software with this kind of major security role in the world, they need better funding. I am still of the opinion that the open-source model is the best. I trust them more. I can see and analyze code. If there is a bug, the Internet community acts quickly to fix it. However, I believe it needs to be rewritten as it is too old and too complicated.
