Heartbleed, listen to my heartbleed, oh-oh


Updated: April 21, 2014

Normally, I am very skeptical about software security. I think one of the main purposes of the relevant software industry is to scaremonger people into buying security products, so that they can feel supposedly safe. The best example of this would be the conflicting views on the Windows malware situation prior to the Windows XP demise, with one report by Microsoft showing how the newer versions of its operating system are safer, and one by anti-malware companies that claim the exact opposite. This brings my stink eye to the subject of the latest openSSL issue.

Several users, i.e. more than one, asked me to elaborate on this, given my rather cool approach. Indeed, this is not Windows, this is Linux. This is the Web. This is something else entirely. This ought to be interesting.

Teaser

Heartbleed in a nutshell

Essentially, Heartbleed is a bug in the OpenSSL Heartbeat extension, which allows a Heartbeat requester to receive arbitrary payload from the OpenSSL library memory on the target system. In other words, rather than returning just the data that is necessary for the TLS protocol communication, the polled host returns more than that. This effectively means access to memory pages not meant to be sent to the requester.

And that's it. Now, the problem is that this affects a large number of Web hosted services and sites, with a large customer base. This is where the Heartbleed issue becomes more than just yet another bug.

Why this is bad

Yes, you heard it right. I think this is a serious issue. But not because of what kind of data could have been collected from targeted sites. That is, and will always remain the whole purpose of stealing confidential information. That's beside the point.

What does matter is the way the issue came to bear. The Heartbeat bug was caused by two chief problems. One, bad input validation, the unholy grail of programming, when code developers forget to initialize their variables, check boundaries or return values. The main reason why people in cubicles cannot be trusted. Alas, it happens even to the best. There is little you can do when you go beyond the scope of Hello World!

The second issue is that the developers of openSSL used their own implementation of free and malloc, two routines that are used to grab and release chunks of memory dynamically. This means they thought they knew better than everyone else.

So yes, when you break the problem down like that, it's annoying. Almost like the Chernobyl accident. A string of tiny issues that pile up into one c.l.u.s.t.e.r. bouquet of digital intercourse.

What you can do - the right perspective

There is very little for you to do. Honestly. The problem is mostly on the server side. True, it also affects all machines that use the vulnerable openSSL libraries. But ask yourselves how often do your devices communicate directly with other hosts using TLS, other than to retrieve information from the Web, maybe connect to a gaming server, and such like?

However, for large sites, I personally think that even if they may have been bled, the volume of traffic is so large that it takes a significant amount of computing power to process all the information, and the memory contents are probably too sparse to create a coherent view.

Now, this is my hunch, not a mathematical thesis, therefore stay off your vitriol and whatnot. Think about it. Take Google, for example. It has huge compute farms with tens of thousands of servers offering Web-related services, each serving hundreds of requests every second. So even if you do heartbeat these resources, it takes a bunch of servers of your own to get all the data. Plus, if someone is working hard on getting all that lovely SSL stuff, they probably do not want to DoS these resources. Third, even if all the credentials might have been stolen, sniffing traffic on a switch network in a meaningful manner is not an easy thing.

I do not mean this to calm you down. That's not the point. You just need to examine the problem in a rational manner. So yes, in theory and maybe in practice, certain SSL data may have been leaked. As a precaution, some websites have recommended that you change your passwords. Consider this. It's not a bad practice. Furthermore, two-factor authentication, and the use of different passwords on different sites is also a good idea.

One thing that may slightly assuage your fears is that most of the worldwide install base in the corporate world is running older versions of enterprise flavors, which mostly have not been affected. You may dis the old CentOS and such, because they are not modern and cool, but in this case, there is some use to them after all.

As an end user

Now, if you want to be a good trooper, then there are some things you CAN do. Check whether your popular sites are still using the bad version. If so, report, escalate, ask for a fix. That's about it from the user side.

Passwords, yes we mentioned them earlier. Just remember that this fine bug has existed since early 2012, more than two years ago. You were not aware of it all this time, which probably means the problem did not have a widespread, clandestine manifestation. And if it did, then anywhere between two years back and now, information may have been leaked. So you should put things into the right perspective.

If you are running your own site, you can responsibly update the system, stop and start the affected services in order to load new libraries into the memory, and most importantly, make sure you do not have any crappy applications developed by mediocre consultant companies that use their own, statically-compiled openSSL, which effectively means that they will not be seeing or using your updates.

Conspiracy

Naturally, there is a fresh new NSA surveillance conspiracy, which claims that the three-letter agency knew about this bug for years. If you ask me, this is doubtful because two different companies, including Google's engineers and a Finnish (i.e. not American) company Codenomicon, reported the bug almost simultaneously. This means that something new came about.

So, if you are worried about NSA, then here's a remedy. Are you familiar with Michael Mann? He's the dude who directed Miami Vice, check, Heat, check, and many other great movies, including Manhunter, a much, much better version of the Hannibal Lecter thingie than Red Dragon. And the theme song is Heartbeat, also featured in one of Miami Vice's many stellar episodes. Now, if you listen to the song, you will understand it perfectly clearly.

Heartbeat, heartbeat, listen to my hearbeat, oh-oh

Conclusion

This is probably the first time you will hear Dedoimedo say that there is a real security issue that people should treat seriously, rather than the usual scaremongering. Yes, the memory leak caused by Heartbleed is not just your everyday malware nonsense. On the same note, it is also an issue that will primarily have to be addressed by companies and service providers. Your role in this game is small. The important thing is to stay calm and rational.

Just remember, when the Internet backbones aches, lean back and watch. It does not happen every day, and it is a refreshing change from the usual your PC might be at risk bullcrap. In this case, it's bigger than you. So relax.

Cheers.

RSS Feed icon

del.icio.us del.icio.us stumbleupon stumble digg digg reddit reddit slashdot slashdot



Advertise!

Would you like to advertise your product/site on Dedoimedo?

Read more

Donate to Dedoimedo!

Do you want to
help me take early retirement? How about donating
some dinero to
Dedoimedo?

Read more

Donate