SSL After The Heartbleed

  /     /     /  
Publicated : 22/11/2024   Category : security


SSL After The Heartbleed


Encryption gets a big wake-up call -- and a little more scrutiny.



Heartbleed wasnt the first security hole discovered in SSL deployments, and it wont be the last.
The
discovery of the dangerous flaw in a widely deployed SSL software platform, OpenSSL
, initially shook some confidence in SSL-encrypted websites and servers, but in the end it served as a healthy wake-up call for encryption deployments, security experts say. The vulnerability, which is in the software itself and not the Secure Sockets Layer/Transport Layer Security protocol, illuminated how encryption software isnt immune to coding errors.
SSL had been touted as the answer to all things privacy since Edward Snowdens leak of documents about controversial National Security Agency surveillance operations, but became a three-letter word in the wake of the Heartbleed vulnerability disclosure in April. Security experts say Heartbleed likely only scratched the surface of weaknesses in SSL software and implementations.
The good news for SSL/TLS encryption is that its now under the research microscope, so software and the protocol itself will ultimately evolve into stronger and more secure versions.
There have been bad bugs before, and there will be again. This [Heartbleed] is a particularly nasty bug well be dealing with for a while, says Dan Kaminsky, chief scientist at White Ops. But it wasnt the end of the world. The worst thing was that average users were told to change their passwords.
Encryption expert and security guru Bruce Schneier says Heartbleed didnt damage SSL or shake confidence in the encryption protocol. I dont think Heartbleed changed anything. A vulnerability was found and fixed, Schneier says. SSL was never a panacea... youve always got to raise the bar.
SSL has always had a lot of problems. This is nothing new, he says.
Indeed, there have been SSL hacks before: In 2009,
researchers exploited a known weakness in the algorithm in some SSL digital certificates
to impersonate secure websites, and man-in-the-middle attacks such as
SSLStrip
emerged. And in 2011, there was the THS-SSL-DOS tool that basically
knocked out an HTTPS-based server via a denial-of-service attack using a single laptop
and a DSL connection. And there have been other SSL hacks researchers have demonstrated over the years.
SSL, meanwhile, has survived and remained the de facto encryption protocol. The reason SSL has been so successful is that its evolved over the years, says Chris Bailey, general manager of trust services at Trend Micro.[The industry] definitely is going to be looking at flaws... and implementations more closely. Also, the underlying standards will benefit from a closer look.
Theres always a new generation of cryptography waiting in the wings to replace existing algorithms, anyway, he says. I think were in a better state than we have been in several years with encryption, he says. The whole Snowden thing... [generated] more active conversation. People are discussing and thinking about encryption and not just taking it for granted.
Heartbleed is a read-overrun bug in the implementation of the Transport Layer Security protocols heartbeat extension, an extension to the protocol that checks on the site to which it is connecting to ensure its connected and can respond. If exploited, the bug leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data, and most alarmingly; the SSL servers private key. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability, which was discovered by security researchers at Google and Codenomicon, and OpenSSL since has issued an updated version of the software that fixes the bug.
[Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use. Read
Did A Faulty Memory Feature Lead To Heartbleed?
.]
Caroline Wong, a director at Cigital, says the good news is that Heartbleed was a reality check for SSL. Namely, that because its software, things can and will go wrong. The root of the problem is human programming error, Wong says.
SSL is used today for encrypting communications sessions on the Web via websites, virtual private network, email, and instant messaging sessions. But most websites today do not use SSL -- or HTTP-S -- save for high-profile ones that include financial transactions or other sensitive traffic such as banks and retailers, for example. There are an estimated 3.3 million to 4 million SSL digital certificates in circulation on the public-facing Internet, according to a University of Michigan report.
Cost isnt a major hurdle for adopting SSL, experts say. Computing power isnt as expensive as it once was, and SSL isnt that much pricier than pure HTTP: it costs about $150 per year or less for an SSL certificate, says Michael Klieman, senior director of product management at Symantec.
We believe that always-on SSL, the notion of encrypting everything, is what we should strive for. Todays limited use of SSL presents implementation risks where, unknowingly, customers can leave critical data unencrypted, Klieman says. The main barriers are really outdated beliefs and practices, which were working hard to overcome. But this is not just up to certificate authorities. Internet providers, browser vendors and others in the ecosystem play a role in continuing to increase security on the Internet.
Adding SSL sometimes requires adjusting capacity, namely in the case of large sites, and of course, managing digital certificates. For the vast [number of sites], its a low cost threshold, Trend Micros Bailey says. Im more in the camp of just go ahead and encrypt everything. I think its good practice.
Not everyone agrees that SSL should be everywhere on the Web. Why would you need SSL to go browse Flickr? Why would you need it everywhere? says Ralph Logan, CEO of big-data analysis firm Kiku Software.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SSL After The Heartbleed