Bleeding Heartbeats

So, like systems administrators across the planet, I spent the day making sure that the various servers that I’m responsible for are not vulnerable to the “Heartbleed” bug.   Now that it’s all over, I’m still quite shaken by the severity of this issue and its long term implications for the security of the internet.

There are already a number of good technical explanations of this bug, such as this one.  The flaw can be boiled down to the following:

  • heartbleedMany webservers use something called OpenSSL to encrypt communication between the browser and the website.
  • Recent versions of OpenSSL include a feature called heartbeat, which allows an end user to send a packet of data and the server sends it straight back.
  • However, if you lie to the server, it can get confused.  If you tell it you’re sending a packet of, say, 1000 bytes, but don’t send it any, it will still send you back 1000 bytes of data.  And that data will contain all sorts of random stuff that happens to be lying around in memory on the server.
  • Stuff such as user names, session ids, and query strings.

It was a very, very sobering experience to query a vulnerable webserver and see it return information from another user’s session that would be sufficient for me to impersonate them.  This is not supposed to happen.

Really, the only good thing about this whole episode was watching how fast the sysadmin community reacted.    There were excellent, in-depth technical discussions on Reddit, Hacker News and elsewhere.  Several people wrote and published vulnerability testing software in a matter of hours, such as http://filippo.io/Heartbleed/ from Filippo Valsorda.  It was inspiring to watch him build, refine, publish and support an incredibly useful tool overnight, and then scale it out using Amazon Web Services to support the sudden huge demand for the tool.

The longer term implications of all this are unclear.  We’ve now had several worrying encryption bugs in the space of a few weeks, including Apple’s embarrassing GOTO fail.

Encryption is the bedrock of the modern internet, and yet we’re learning time and time again that writing good encryption software is hard.

Part of this must have to do with the tools that we use.  C is an excellent language for systems level development, but was never designed to be used in a hostile environment.  So many security breaches over the years have been caused by the way C requires the programmer to manually manage memory space.  The promise of Open Source Software is that with many eyes checking source code, bugs will be found quickly.  But the OpenSSL source code is, by all accounts, a mess.  Just have a look at the actual lines of code responsible for the heartbleed error and ask yourself whether you would have found the vulnerability while performing a security review.

I’m not sure what all the answers are, but I have a strong feeling that a key response is to start writing more readable software.

 

Fundamentally, we need a more secure web.  The internet is central to our lives, our societies, and our economies.  Today I saw what a shaky foundation it all rests on.