The rise and fall of Heartbleed hysteria

The OpenSSL flaw is serious, but the four horsemen of the apocalypse aren't coming for the Internet -- or your smartphone

Page 2 of 2

Big websites were quick to patch the vulnerability (Google, Facebook, YouTube, Yahoo, Facebook, Netflix, Dropbox) or reassure users they were never vulnerable (Amazon, LinkedIn, Twitter, PayPal, MSN, Apple, Microsoft). But by that time, the reputed danger had gone viral, spreading from public-facing servers to clients -- particularly Android. Headlines aimed at terrifying smartphone users were often refuted by security experts, who agreed that while Heartbleed could, in theory, pose a risk to millions of Android users, the practicality of such attacks was dubious. As Jeff Forristal, CTO for mobile security vendor Bluebox Security, told SearchSecurity:

Attacking the client, you'll probably only get a few chances. You're not going to be able to do a million requests because, remember, you're not asking the client or initiating the connection to the client to pump the data out. You're waiting for the client to go initiate to someone else, and you're just leveraging that opportunity, and the client is only going to make a few attempts. So you have a window of opportunity where you're only going to get a little bit of data, and it's a crapshoot whether you'd get anything interesting. You definitely could, but the odds aren't as much in the favor of the attacker as they were on the server side.

Blame open source
Hard on the heels of panic follows blame, and the open source model has come in for its share. The Heartbleed flaw was introduced into the open source code by a doctoral student in December 2011 and subsequently adopted to widespread use with the release of OpenSSL 1.0.1 in March 2012. Many argued that Heartbleed's origin highlighted the failings of open source development, but as Edward Raymond wrote, "One thing conspicuously missing from the downshouting against OpenSSL is any pointer to a closed source implementation that is known to have a lower defect rate over time."

InfoWorld's Simon Phipps concurred, urging an end to scapegoating open source for Heartbleed when "[c]losed development by unknown teams hidden behind corporate PR would seek to hide the truth [about a bug], as well as prevent anyone from properly analyzing the issue once it became known. While commercial involvement is probably a key to reducing future risks, that does not equate to any preference for opaque proprietary behavior."

Commenter TsuruchiBrian, weighing in on a Slashdot thread on the question "How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?" pointed out that "[t]he visibility [of open source] doesn't make it so bugs don't exist. It makes them more likely to be found. This one existed and was found.... The argument 'seatbelts make riding in a car safer' is not 'heavily damaged' by someone dying in a car accident while wearing a seatbelt."

Both Venezia and Phipps see this as an opportunity to drive improvement -- and investment -- to the OpenSSL project. After all, says Venezia, "it's used everywhere, by large multinational companies in every market imaginable, yet its maintenance is the work of a few people. Maybe it's a signal to give back to the project.... The OpenSSL developers have been taken for granted for far too long."

Close the doors and change the locks
Pushback against the hysteria over Heartbleed has thankfully begun. James Andrew Lewis, director of the Strategic Technologies Program at the Center for Strategic & International Studies think tank, recently penned an opinion piece entitled "Heartbleed: Cybersecurity as Melodrama" arguing that cyber criminals would likely choose an easier and more effective way than Heartbleed to steal assets from companies.

Joni Brennan, executive director of the Kantara Initiative, which works on better digital identity management, agreed. "Likely this story has more relevance from the perspective of mass surveillance and vulnerabilities that underpin the Internet as a whole versus criminal behavior," Brennan said. "As the author notes, criminals tend to be much more sophisticated and targeted."

None of which goes to say that Heartbleed's dangers should be swept under the rug. As Venezia points out, after "the patching and the schadenfreude," the job of rekeying has to happen. "[W]e have to assume that every cert is compromised, and we have to rekey and regen all of our certs. That's not easily scripted at all -- and most of the time will be spent waiting for the certificate authority to redistribute our certs."

But in the end, will Heartbleed prove so very different from the countless other security challenges in the new world of IT?

"It's going to be no more or less different than any other security bug that has been out there," said Bluebox's Forristal. "This is just the cost of doing business in terms of the Internet and software security. We've had massive amounts of SQL injection [attacks] and worms; I mean, we've had things like this before and the Internet didn't grind to a halt."

This story, "The rise and fall of Heartbleed hysteria," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

| 1 2 Page 2