What isn’t true about Heartbleed

From http://www.scmagazineuk.com/government-slated-as-mumsnet-becomes-first-uk-heartbleed-victim/article/342671/

“The flaw enables attackers to hijack the encryption keys in OpenSSL versions 1.0.1 to 1.0.1f and steal user data.”

* NO. The flaw enables attackers to harvest random data from a server, which may be anything. Encryption Keys. User Data. Junk. Bits of Programs. Snippets of email. Anything. This quote makes it sound like a user can be targeted, which goes against everything I’ve read about Heartbleed.

* Also <SIGH>, Heartbleed is NOT A VIRUS. It’s either a vulnerability or an exploit (?). This makes a big difference, because no amount of anti virus software will protect anyone. The other thing that isn’t being pushed enough is that it’s the website that’s at fault, not the device. It doesn’t make an ounce of different whether you’ve been buying from, for example, Amazon on a MacBook Air, Android tablet or Windows PC because the fault lay with Amazon (or whoever).

* Also, I don’t think Heartbleed is a bug either. In my mind, a bug causes a program to go wrong. Heartbleed did not cause OpenSSL to “go wrong”- it didn’t crash, or arbitrarily start sending data of its own accord. OpenSSL was being asked to return the heartbeat, and that’s what it did. Unfortunately, it wasn’t written to check whether the requested data was the right length so the vulnerability occurred (and even more unfortunately, the “filler” it chose was the contents of RAM, which even more unfortunately again contained critical information).

The problem is that it’s taken 2 years to uncover this fault, during which time individuals must have logged on to affected sites thousands of times and therefore may have had their user credentials or other personal data harvested (or not, as the case may be).

This is the snag with the pro-scare-mongering side of it: no one individual could say whether they’ve lost data or not, because the whole thing is random. It’s a catastrophic flaw with unknown consequences (although granted: with the number of big sites affected, it’s likely a lot of people have had data harvested).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s