A year ago today (April 7), I first saw the OpenSSL advisory about a new security vulnerability identified as CVE-2014-0160 and titled “TLS heartbeat read overrun.”
When I first wrote my article for eWEEK on the issue, I identified the flaw as the Heartbeat SSL flaw. By the middle of the day on April 8, my editors at eWEEK were asking me if I had mislabeled the story since other publications were calling it Heartbleed.
Time sure does fly.
The name Heartbleed is the branded term that security firm Codenomicon came up with. They also branded the vulnerability in a way that I had never seen before, but has since become a model that other security vendors have tried to emulate. The Codenomicon-branded Heartbleed had its own logo and an easy-to-follow description of the flaw and the actual risks.
As it turned out, the issue was also discovered by Google security researcher Neil Mehta. Both Mehta and Codenomicon were awarded the Black Hat 2014 Pwnie award for Heartbleed in the category of best server-side bug.
Extraordinary branding, however, is not why Heartbleed was and still remains a non-trivial security issue. OpenSSL is a widely deployed open-source technology that is used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. The danger of Heartbleed is that the SSL/TLS could be decrypted, leaving users at risk.
If Heartbleed had been responsibly disclosed to impacted vendors and if there had been a patch available prior to the advisory on April 7, a lot of the drama surrounding Heartbleed likely would have never come to pass. The problem is that somehow some vendors got early notice about Heartbleed, including Google and CloudFlare, while others got none.
The broken disclosure process of Heartbleed added to the drama and anxiety of an already-critical security vulnerability. Instead of an orderly update, there was a mad rush by vendors and server administrators around the world to patch for Heartbleed to avoid exploitation.
While some vulnerabilities are not publicly exploited, that wasn’t the case with Heartbleed. On April 8, the Canada Revenue Agency (CRA), the Canadian equivalent of the U.S. Internal Revenue Service (IRS), was forced to shut down tax filing services after being breached by Heartbleed. The breach resulted in the Canadian government being forced to extend the tax filing deadline for Canadians to make up for the time the CRA site was shut down.
Canada is home to the only arrest related to Heartbleed that I’m aware of, as well. On April 16, the Royal Canadian Mounted Police (RCMP) announced that it had arrested a 19-year-old student in connection with exploitation attacks against the CRA targeting the Heartbleed flaw.
In April 2014, I estimated that the total cost of fixing Heartbleed would likely top $500 million. While we may never know the true total cost of Heartbleed, aside from the risk and the patching, it also triggered a new era of examination into open-source software security.
Since OpenSSL is open-source, many pundits were quick to criticize the open-source model as being at the core of the Heartbleed vulnerability. In response, the open-source community, led by the Linux Foundation, rallied and launched the Core Critical Infrastructure (CCI) effort. CCI raised $5.5 million in funding from Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco in an effort to secure open-source infrastructure and development. CCI is now providing some funding to OpenSSL developers to help prevent another Heartbleed.
The OpenSSL project itself has released multiple security updates over the course of the past year, as more resources have scrutinized the code in an effort to improve security. The most recent OpenSSL update debuted on March 19, providing 12 security fixes.
Heartbleed a Year Later: How the Security Conversation Changed
Even with 12 months of time, there is still Heartbleed risk today. In a new report, security vendor Venafi claims that 74 percent of the Global 2000 are still at risk from Heartbleed. Venafi’s numbers, however, are not just about servers being updated with the latest OpenSSL milestone, but also about replacing SSL/TLS certificates.
Venafi issued a similar report in July 2014. Security experts contacted by eWEEK at the time contested Venafi’s analysis.
Dmitri Alperovitch, CTO and co-founder at Crowdstrike, said that while replacing SSL certificates is certainly recommended, not replacing the certificates doesn’t necessarily mean organizations are still vulnerable to Heartbleed.
“It’s akin to saying that even though you’ve had heart bypass surgery to mitigate a clot in an artery, you are still in immediate danger of having a heart attack because you haven’t stopped eating fatty and unhealthy foods,” Alperovitch said at the time.
While Venafi claims that the majority of sites it surveyed are still at risk from Heartbleed, the Qualys-sponsored SSL Pulse site currently reports that only 0.3 percent of sites are currently at risk from Heartbleed.
A year after Heartbleed first made headlines, it is still an issue, because old vulnerabilities never truly die. The simple reality of Heartbleed’s risk today is the same as that of any other known vulnerability for which an organization has not yet patched. Hewlett-Packard’s 2015 Cyber Risk report found that 44 percent of breaches could be attributed to patched vulnerabilities that are between two and four years old. Simply put, patching is hard, but when it comes to big issues like Heartbleed, organizations have, in fact, done a lot of patching.
Heartbleed was not the worst vulnerability in history, but it was noteworthy because of the hype and hysteria that it created. It triggered a global update of OpenSSL servers, desktops and mobile apps around the world and it did leave most of the world’s Internet population at risk of exploitation for a period of time.
In the year since Heartbleed, there is more scrutiny than ever on OpenSSL and critical infrastructure overall, and that’s a good thing. Ignorance is not bliss and it’s not security, either. Only by remaining vigilant can security ever be attained.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.