The Heartbleed bug in a software library (called OpenSSL) used to secure many websites allows an attacker to trick these websites to send an arbitrary memory block of 64 kilobytes back to him. In this blog post I will argue that the way this bug was disclosed has greatly increased the damage it causes.
What can an attacker learn by exploiting the Heartbleed bug? It turns out that for a popular website like Yahoo, such a blob of memory obtained by an attacker almost always contains at least one random user’s password. By repeating the attack the attacker quickly collects a large table of username/password combinations for the website under attack. Under certain circumstances the same attack can also leak the private key of the website under attack. This does depend on the specific setup of the website though: some websites report that they are vulnerable to a very limited extent.
The bug was present in the OpenSSL library since December 2011. Codenomicon found the bug on April 3, 2014 and immediately reported it to the Finnish Computer Emergency Response Team (CERT). Independently Neel Mehta of Google Security reported the bug to the OpenSSL team. Existence of the bug was made public on April 7 by the OpenSSL team, right after it was patched in the latest version of OpenSSL.Quickly, exploit code became available.
I do not understand why the bug was publicised so soon after patching the library. [Update: In fact details of the bug spread even before the bug was patched.] This gave websites no time to upgrade their systems (to include the patched library). As a result, many websites were (and still are) vulnerable while exploit code is now widely available. The consequences of this are very severe, and I feel the way this bug was disclosed was irresponsible.
Cybercriminals and intelligence agencies are in all likelihood very busy right now collecting user passwords and the private keys of websites while they (still) can. Whether the NSA knew about and exploited the bug for years is in fact not very relevant. By collecting as many private keys of websites as they can right now, they can retroactively decrypt previously recorded secure internet traffic at leisure (unless those sites encrypted their traffic using perfect forward security).
As a result we must all assume that a significant fraction of the passwords we use on affected websites have been compromised. Because people often reuse usernames and passwords, people are advised to change all their passwords on all their accounts. This is a mayor undertaking (and, in fact, a bloody nuisance). Moreover, we must assume that all our private conversations through websites whose private keys have been recovered by the intelligence agencies and whose communications have been stored, are no longer private.
If the bug had been disclosed after (almost) all websites had incorporated the patch of OpenSSL in their own webserver software, I think the ramifications would have been less severe. For typical Internet users the risk could even have been acceptable, at least not high enough for them to change all their passwords. Whereas we are now certain password are being collected and private keys are being recovered, this would otherwise have been less likely. How much less likely is of course hard to tell. It depends on whether anybody knew about the bug before it was publicly disclosed, whether this knowledge was shared with others, whether the bug was actively exploited and on which scale. In the case of Heartbleed, this is difficult to determine because exploitation of the bug typically does not leave any traces in the logs of the webserver. They can be detected by an Intrusion Detection System (IDS) given the right set of rules. And I would expect a smart IDS to notice a sudden change in SSL-related traffic. So far only one suspicious dump of Internet traffic before the public disclosure has been found. I understand that honeynets have not reported use of this specific exploit. I would love to learn about more evidence that will allow us to give a proper estimate of the likelihood of a pre-disclosure exploitation of Heartbleed.