Heartbleed SSL Flaw's True Cost Will Take Time to Tally

NEWS ANALYSIS: Privacy, bandwidth and money have all been lost due to the Heartbleed bug. The full implications are, as yet, unknown.

Heartbleed SSL flaw

Ever since news first broke on April 7 about the Heartbleed security vulnerability, IT professionals around the world have been struggling to contain its impact. The Heartbleed crisis will, no doubt, come with a high price tag when the final tally is taken for all the damage it has caused.

The Heartbleed flaw is technically a security vulnerability in the open-source OpenSSL cryptographic library that provides Secure Sockets Layer (SSL) encryption capabilities. OpenSSL is widely deployed on Linux servers, mobile devices and embedded devices around the world and provides encryption for data in transit. While patches have been available for most major Linux platforms since April 8, some platforms still have not been patched, including Google's Android 4.1 (Jelly Bean) mobile operating system.

Although patches have been publicly available for more than week for most server platforms, that doesn't mean that all of the world's vulnerable servers and devices that can be patched have, in fact, been patched.

For example, the Tor privacy network is losing 12 percent of its network this week, due to servers in its network that have not been updated to protect against the Heartbleed flaw. Tor is a network made up of multiple relay servers through which Internet traffic is routed in a bid to try and anonymize the original location of a user. Developers working with the Tor project identified 380 vulnerable nodes on April 16, more than a week after patches for Heartbleed were first made available.

Heartbleed has cost Tor a nontrivial piece of its network, and in a broader context, it has cost the global Internet community a lot more.

Quantifying the cost that Heartbleed has inflicted on the world's IT systems and users is no easy task. Cloud security vendor CloudFlare has attempted to estimate some of the cost.

One aspect of the Heartbleed flaw is that SSL certificates need to be revoked and then reissued after a server patches for the issue. Given that SSL certificate revocation lists generate bandwidth for a Certificate Authority (CA) provider, CloudFlare CEO Matthew Prince has estimated in a blog post that the cost of revoking SSL certificates through the GlobalSign CA could well incur a bandwidth cost of $400,000. That's just one cloud vendor, working with one CA.

The total true cost of Heartbleed is going to include multiple factors. These variables will need to factor into the total cost of Heartbleed equation:

1. Human Resources: Building Patches. There is the cost across all the various projects and human staff involved to actually build and package OpenSSL.

2. Human Resources: Implementing Patches. There is likely a cost involved for the time required by individuals and companies to actually execute the required patches.

3. Human Resources: Scanning for Risk. Not all organizations are properly aware of what is running in their enterprises, and there is likely a staff time cost associated with scanning for servers that are at risk.

4. Human Resources: Resetting Passwords. Resetting passwords both for server administrators and end users is a time-consuming process.

5. Certificate Revocation Bandwidth. As CloudFlare noted, the process of revoking and then reissuing SSL certificates can be bandwidth-intensive, and that can be costly.

6. Stolen Data. So far, the only organization that has publicly reported having data stolen as a result of Heartbleed is the Canada Revenue Agency, but more such reports are likely to follow.

Take all those inputs together for all the hundreds of millions of end users that have been affected and we'll have the total cost for Heartbleed.

To put an actual number on it, given some historical precedence, I think $500 million is a good starting point. Back in 2001, eWEEK reported that the estimated cost of W.32 Nimda worm cleanup would hit $500 million. That was 13 years ago; given inflation, the cost of Heartbleed could be much higher, though the truth is that computing costs on the whole today are cheaper than they were in 2001 and significantly more automated.

Whatever the final total figure, Heartbleed is a security incident that is like no other in recent memory. Its potential impact is widespread, and it might take weeks, months or even years until the final true cost is ever tallied.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.