NEWS ANALYSIS: In the year since Heartbleed's discovery, there is more scrutiny than ever on OpenSSL and critical infrastructure overall.
A year ago today (April 7), I first saw the OpenSSL advisory
about a new security vulnerability identified as CVE-2014-0160 and titled "TLS heartbeat read overrun."
When I first wrote my article
on the issue, I identified the flaw as the Heartbeat SSL flaw. By the middle of the day on April 8, my editors at eWEEK
were asking me if I had mislabeled the story since other publications were calling it Heartbleed.
Time sure does fly.
The name Heartbleed is the branded term that security firm Codenomicon came up with. They also branded the vulnerability in a way that I had never seen before, but has since become a model that other security vendors have tried to emulate. The Codenomicon-branded Heartbleed had its own logo and an easy-to-follow description of the flaw and the actual risks.
As it turned out, the issue was also discovered by Google security researcher Neil Mehta. Both Mehta and Codenomicon were awarded
the Black Hat 2014 Pwnie award for Heartbleed in the category of best server-side bug.
Extraordinary branding, however, is not why Heartbleed was and still remains a non-trivial security issue. OpenSSL is a widely deployed open-source technology that is used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. The danger of Heartbleed is that the SSL/TLS could be decrypted, leaving users at risk.
If Heartbleed had been responsibly disclosed to impacted vendors and if there had been a patch available prior to the advisory on April 7, a lot of the drama surrounding Heartbleed likely would have never come to pass. The problem is that somehow some vendors got early notice about Heartbleed, including Google and CloudFlare, while others got none.
The broken disclosure
process of Heartbleed added to the drama and anxiety of an already-critical security vulnerability. Instead of an orderly update, there was a mad rush by vendors and server administrators around the world to patch for Heartbleed to avoid exploitation.
While some vulnerabilities are not publicly exploited, that wasn't the case with Heartbleed. On April 8, the Canada Revenue Agency (CRA), the Canadian equivalent of the U.S. Internal Revenue Service (IRS), was forced to shut down tax filing services after being breached
by Heartbleed. The breach resulted in the Canadian government being forced to extend the tax filing deadline for Canadians to make up for the time the CRA site was shut down.
Canada is home to the only arrest related to Heartbleed that I'm aware of, as well. On April 16, the Royal Canadian Mounted Police (RCMP) announced
that it had arrested a 19-year-old student in connection with exploitation attacks against the CRA targeting the Heartbleed flaw.
In April 2014, I estimated
that the total cost of fixing Heartbleed would likely top $500 million. While we may never know the true total cost of Heartbleed, aside from the risk and the patching, it also triggered a new era of examination into open-source software security.
Since OpenSSL is open-source, many pundits were quick to criticize the open-source model as being at the core of the Heartbleed vulnerability. In response, the open-source community, led by the Linux Foundation, rallied and launched the Core Critical Infrastructure (CCI) effort. CCI raised $5.5 million in funding from Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco in an effort to secure open-source infrastructure and development. CCI is now providing some funding to OpenSSL developers to help prevent another Heartbleed.
The OpenSSL project itself has released multiple security updates over the course of the past year, as more resources have scrutinized the code in an effort to improve security. The most recent OpenSSL update debuted on March 19, providing 12 security fixes.