The crescendo of stories dissecting the Heartbleed bug is testimony to just how much everyone loves a good train wreck. In case you've been disconnected from media for the past fortnight, Heartbleed is not the latest boy band sensation -- it's a very serious OpenSSL flaw that makes it possible for attackers to read the memory of systems protected by vulnerable versions of the cryptographic software library.
OpenSSL encrypts a huge amount of traffic on the Internet. It's used in Apache and Nginx, and it probably runs on at least 60 percent of websites. As security blogger Bruce Schneier wrote, "On the scale of 1 to 10, this is an 11." But serious as it is, the recent onslaught of news reports on Heartbleed managed too often to overstate the threat and cry wolf over dangers that are dubious at best.
Early on, stories underscored the seriousness of the flaw; focused on what users, admins, and developers could do about Heartbleed; and provided lists of the top 100 websites and whether they were vulnerable. Server makers rushed to patch their products, and users were to advised to change their passwords.
On the heels of these pragmatic reports came the inevitable conspiracy stories starring everyone's favorite baddy du jour, the NSA, which was quick to refute claims that it had known about -- and exploited -- the Heartbleed flaw for years.
Security vendor CloudFlare further roiled the pot by issuing a challenge to hackers to steal a server's private encryption key using the Heartbleed bug. Fedor Indutny of Moscow took nine hours to obtain the key, thereby proving for the first time that such an attack was possible. Everyone loves a good competition -- especially when the fate of the Internet is seemingly at stake -- but it was reader EngSci ETC, commenting on a Forbes story that screamed "A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw," who put the hacking feat into perspective:
9 hours for a fresh server with optimal conditions dedicated to getting hacked. In computing terms that's a hell of a long time under excellent conditions. Someone with a gaming laptop could brute-force hack into a secured wireless network in the same timeframe. Considering they took between 250,000 and 2.5 million requests, most well-protected servers would have noticed funky activity and blocked further requests. 32 thousand requests per second from a single user is highly suspicious since that would be about 100x more than the fastest Internet connections allow a real user to use. Even the smaller number is still well above what a normal user is expected to do, and most servers will shut down the connection. Even with a team of bots it's a tall order. Certainly not impossible, but definitely something normal users (non-corporate users) don't have to worry too much about.
Also lost in the initial panic over the fact that two-thirds of websites use OpenSSL was any breakdown of how many of the servers were running a version actually affected by the flaw -- a figure that some put at 17 percent. As InfoWorld's Paul Venezia said in "3 big lessons to learn from Heartbleed":
This vulnerability affected only certain OpenSSL versions. OpenSSL versions prior to 1.0.1 are not vulnerable -- and a massive numbers of active servers using OpenSSL for Web and other services are happily running OpenSSL 0.9.8 through 1.0.0 with no fear of the Heartbleed bug. For those of us not running bleeding-edge production servers, this meant that we had little to worry about.