The rise and fall of Heartbleed hysteria

The crescendo of stories dissecting the Heartbleed bug is testimony to just how much everyone loves a good train wreck. In case you’ve been disconnected from media for the past fortnight, Heartbleed is not the latest boy band sensation — it’s a very serious OpenSSL flaw that makes it possible for attackers to read the memory of systems protected by vulnerable versions of the cryptographic software library.

OpenSSL encrypts a huge amount of traffic on the Internet. It’s used in Apache and Nginx, and it probably runs on at least 60 percent of websites. As security blogger Bruce Schneier wrote, “On the scale of 1 to 10, this is an 11.” But serious as it is, the recent onslaught of news reports on Heartbleed managed too often to overstate the threat and cry wolf over dangers that are dubious at best.

Rising panic Early on, stories underscored the seriousness of the flaw; focused on what users, admins, and developers could do about Heartbleed; and provided lists of the top 100 websites and whether they were vulnerable. Server makers rushed to patch their products, and users were to advised to change their passwords.

On the heels of these pragmatic reports came the inevitable conspiracy stories starring everyone’s favorite baddy du jour, the NSA, which was quick to refute claims that it had known about — and exploited — the Heartbleed flaw for years.

Security vendor CloudFlare further roiled the pot by issuing a challenge to hackers to steal a server’s private encryption key using the Heartbleed bug. Fedor Indutny of Moscow took nine hours to obtain the key, thereby proving for the first time that such an attack was possible. Everyone loves a good competition — especially when the fate of the Internet is seemingly at stake — but it was reader EngSci ETC, commenting on a Forbes story that screamed “A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw,” who put the hacking feat into perspective:

9 hours for a fresh server with optimal conditions dedicated to getting hacked. In computing terms that’s a hell of a long time under excellent conditions. Someone with a gaming laptop could brute-force hack into a secured wireless network in the same timeframe. Considering they took between 250,000 and 2.5 million requests, most well-protected servers would have noticed funky activity and blocked further requests. 32 thousand requests per second from a single user is highly suspicious since that would be about 100x more than the fastest Internet connections allow a real user to use. Even the smaller number is still well above what a normal user is expected to do, and most servers will shut down the connection. Even with a team of bots it’s a tall order. Certainly not impossible, but definitely something normal users (non-corporate users) don’t have to worry too much about.

Also lost in the initial panic over the fact that two-thirds of websites use OpenSSL was any breakdown of how many of the servers were running a version actually affected by the flaw — a figure that some put at 17 percent. As InfoWorld’s Paul Venezia said in “3 big lessons to learn from Heartbleed“:

This vulnerability affected only certain OpenSSL versions. OpenSSL versions prior to 1.0.1 are not vulnerable — and a massive numbers of active servers using OpenSSL for Web and other services are happily running OpenSSL 0.9.8 through 1.0.0 with no fear of the Heartbleed bug. For those of us not running bleeding-edge production servers, this meant that we had little to worry about.

Big websites were quick to patch the vulnerability (Google, Facebook, YouTube, Yahoo, Facebook, Netflix, Dropbox) or reassure users they were never vulnerable (Amazon, LinkedIn, Twitter, PayPal, MSN, Apple, Microsoft). But by that time, the reputed danger had gone viral, spreading from public-facing servers to clients — particularly Android. Headlines aimed at terrifying smartphone users were often refuted by security experts, who agreed that while Heartbleed could, in theory, pose a risk to millions of Android users, the practicality of such attacks was dubious. As Jeff Forristal, CTO for mobile security vendor Bluebox Security, told SearchSecurity:

Attacking the client, you’ll probably only get a few chances. You’re not going to be able to do a million requests because, remember, you’re not asking the client or initiating the connection to the client to pump the data out. You’re waiting for the client to go initiate to someone else, and you’re just leveraging that opportunity, and the client is only going to make a few attempts. So you have a window of opportunity where you’re only going to get a little bit of data, and it’s a crapshoot whether you’d get anything interesting. You definitely could, but the odds aren’t as much in the favor of the attacker as they were on the server side.

Blame open source Hard on the heels of panic follows blame, and the open source model has come in for its share. The Heartbleed flaw was introduced into the open source code by a doctoral student in December 2011 and subsequently adopted to widespread use with the release of OpenSSL 1.0.1 in March 2012. Many argued that Heartbleed’s origin highlighted the failings of open source development, but as Edward Raymond wrote, “One thing conspicuously missing from the downshouting against OpenSSL is any pointer to a closed source implementation that is known to have a lower defect rate over time.”

InfoWorld’s Simon Phipps concurred, urging an end to scapegoating open source for Heartbleed when “[c]losed development by unknown teams hidden behind corporate PR would seek to hide the truth [about a bug], as well as prevent anyone from properly analyzing the issue once it became known. While commercial involvement is probably a key to reducing future risks, that does not equate to any preference for opaque proprietary behavior.”

Commenter TsuruchiBrian, weighing in on a Slashdot thread on the question “How Does Heartbleed Alter the ‘Open Source Is Safer’ Discussion?” pointed out that “[t]he visibility [of open source] doesn’t make it so bugs don’t exist. It makes them more likely to be found. This one existed and was found…. The argument ‘seatbelts make riding in a car safer’ is not ‘heavily damaged’ by someone dying in a car accident while wearing a seatbelt.”

Both Venezia and Phipps see this as an opportunity to drive improvement — and investment — to the OpenSSL project. After all, says Venezia, “it’s used everywhere, by large multinational companies in every market imaginable, yet its maintenance is the work of a few people. Maybe it’s a signal to give back to the project…. The OpenSSL developers have been taken for granted for far too long.”

Close the doors and change the locks Pushback against the hysteria over Heartbleed has thankfully begun. James Andrew Lewis, director of the Strategic Technologies Program at the Center for Strategic & International Studies think tank, recently penned an opinion piece entitled “Heartbleed: Cybersecurity as Melodrama” arguing that cyber criminals would likely choose an easier and more effective way than Heartbleed to steal assets from companies.

Joni Brennan, executive director of the Kantara Initiative, which works on better digital identity management, agreed. “Likely this story has more relevance from the perspective of mass surveillance and vulnerabilities that underpin the Internet as a whole versus criminal behavior,” Brennan said. “As the author notes, criminals tend to be much more sophisticated and targeted.”

None of which goes to say that Heartbleed’s dangers should be swept under the rug. As Venezia points out, after “the patching and the schadenfreude,” the job of rekeying has to happen. “[W]e have to assume that every cert is compromised, and we have to rekey and regen all of our certs. That’s not easily scripted at all — and most of the time will be spent waiting for the certificate authority to redistribute our certs.”

But in the end, will Heartbleed prove so very different from the countless other security challenges in the new world of IT?

“It’s going to be no more or less different than any other security bug that has been out there,” said Bluebox’s Forristal. “This is just the cost of doing business in terms of the Internet and software security. We’ve had massive amounts of SQL injection [attacks] and worms; I mean, we’ve had things like this before and the Internet didn’t grind to a halt.”

This story, “The rise and fall of Heartbleed hysteria,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.