SparkFun has reacted quickly to protect ourselves and our customers against the Heartbleed vulnerability
Heartbleed, or CVE-2014-0160, is a pretty serious vulnerability in OpenSSL, one of the more popular libraries for encrypting communications on the internet, and its exposure this week has the internet on high alert.
You can read about the details behind the bug at Heartbleed.com, but here’s how it works in a nutshell: a couple years ago OpenSSL got a “heartbeat” feature which allows computers and servers with secure connections to each other to “ping” each other regularly to keep the secure connection open. A bug in the heartbeat feature allowed for computers without secure connections to still get a response this way, and that response could be exploited to include chunks of data from the server’s RAM, which could include all sorts of recently-decrypted stuff like passwords.
As soon as the vulnerability was exposed to the greater internet on April 7th we sprang into action along with the administrators of sites great and small, worldwide. It’s our responsibility to first patch all SSL libraries on all servers (to “stop the bleeding” as it were). Next we revoke and reissue all SSL certificates as the private keys may have been compromised. With some pressure on our certificate authority we’ve got fresh certs inbound and as soon as those are in place, likely sometime this afternoon, we’ll dump all sessions on SparkFun.com as those are also at risk of having been compromised.
This means every SparkFun customer will be logged out and any customers who have built a cart without signing in will lose that cart. However from that point on when you sign in to SparkFun.com you’ll be doing so over SSL using a new certificate where there’s no risk of the private keys having been leaked. But there’s still more to be done…
First of all, don’t log into any websites until you know they’re patched against this bug. Most major websites have already responded, and the patch isn’t very complicated so there’s no excuse not to respond. There’s a utility here that can help you determine if a given website has taken some of the necessary steps for protection.
Secondly, it’s about time to reset all of your passwords. Seriously. This vulnerability existed for the better part of two years and was only just exposed on Monday. If your account credentials somewhere were slurped up using this exploit at some time in that past and yesterday that site patched against Heartbleed those attackers still have your credentials. Change your password, and also consider setting up two-factor authentication for any sites or services that offer it.
This story has a lot of interesting angles. It’s arguably one of the biggest security vulnerabilities in the entire history of the internet. It’s technical but not terribly so, so I’m curious to see how it is covered in the main-stream media.
In the netsec community Heartbleed is already the highlight of the year. Flurries of discussions on various fora are churning right now on how this happened, how to react, what the long-term impacts are, etc. A family member who works as a penetration tester (someone who’s paid to steal your data and tell you how it was done) summarized the reaction from the offensive side of the network security community thusly.
Another angle worth mentioning is the certificate authorities, or CAs. SSL certificates can be generated for free using open source tools, but when done so they are “self-signed.” The entire SSL model relies on certificates to verify a website is who they say they are, and a self-signed certificate (while functional) doesn’t provide any confidence in that. This is why browsers warn you when a cert is self-signed. Certificate authorities are companies like Verisign and Comodo that build a business on confirming people are who they say they are and then signing their certificates. This can be expensive depending on how iron-clad you want that certification to be. At SparkFun we pop for the Extended Verification, or EV certificates which can require months of investigation on the CA’s behalf to confirm who SparkFun really is.
The curious thing about this vulnerability is that it requires an estimated 60-70% of all certificate holding websites across the internet to revoke+reissue or renew their SSL certificates. Revoke+reissue is free with our CA but renewal isn’t. If any sites unaware of their ability to revoke+reissue, or if a CA charges for that service, this could be a huge pay day for the CAs. That raises ethical questions about where their incentives lie… does it make good business sense for Comodo or Verisign to quietly encourage similar vulnerabilities in the future? Is a system like that ultimately sustainable? In fairness it’s also potentially a burden on the CAs as their volume for issuing certs has skyrocketed overnight. Time will tell how they react in the wake of Heartbleed.
We harp a lot about the virtues of open source here. This vulnerability, having appeared in an open source SSL library (OpenSSL) allowed for the netsec community to provide line-by-line diagnoses of the flaw within hours of its general exposure. Furthermore, open source is not about things being open now but things being open over time, so it’s been possible to peer deep into OpenSSL’s history to see how the flaw was introduced and evolved over time.
I’ve seen some chatter already about how this was the net effect of poor programming from an amateur open source development team. The quality of the programming (and arguably the review process) and the open source nature of the library are two completely different aspects that should not be conflated, however. A proprietary SSL library developed behind closed doors could have easily introduced the same flaws. The open source nature of the library may have made it easier for attackers to craft exploits against the heartbeat feature, but it’s likely that a similar feature+flaw in a proprietary library would have been compromised the same way. The internet’s most skilled and nefarious are never slowed down much by working with compiled binaries as opposed to source, and security through obscurity is widely stigmatized for good reason.
Ultimately the open source nature of the library that introduced the flaw has vastly aided the community in assessing the damages inflicted and mount a swift response. Regardless, the pessimist in me still expects to see “open source” taking some undue blame for this fiasco.
So that’s Heartbleed in a nutshell from SparkFun’s perspective. I’ll close with a reminder to protect yourself. Use strong passwords that don’t repeat, pay attention when your browser is warning you about an insecure website, and use 2-factor authentication wherever you can. Stay safe and have fun. =)
We’ve received and installed our reissued certificates, so we’ve dropped all browser sessions as an extra precautionary measure.