SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.
Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.
“This is one of the worst security issues we’ve seen in the last decade and will remain within the top 5 for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.
Added Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”
Heartbleed is a vulnerability in OpenSSL, a technology used to provide encryption of an estimated 66 percent of all servers on the public Internet. OpenSSL is an open-source code developed and maintained by a community of developers, rather than by a single company.
Although such jargon is unfamiliar to average users, most people online probably have seen the green padlock icon in the address bar of their browser, followed by “https” that indicates that the OpenSSL added security has been enabled.
The vulnerability was found separately last week by Neel Mehta, a security researcher at Google Inc., and a team of engineers at Codenomicon, a security website that has since created a site with information about Heartbleed.
On Tuesday, Tumblr, owned by Yahoo Inc., disclosed that it had been hit by Heartbleed and urged users to change not just the password for its site but for all others as well.
Signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.
“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”
It appears the bug was introduced into OpenSSL by a programming mistake that got pushed out as websites around the world updated their version of OpenSSL.
After the discovery last week, news spread quickly around the Web as the implications became clearer. As Tumblr made its announcement, security experts found numerous “exploits” or simple pieces of software widely available online that hackers could use to attack sites left vulnerable by Heartbleed.
By running such exploits, a hacker could in just a few seconds download countless emails, passwords, user IDs and much other personal information.
“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” said Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm in Hawthorne, N.J.
An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols.
But Internet users now face a dilemma: How do they know they can trust a site?
A website created by Filippo Valsorda, an Italian cyber security expert, promises to vet websites for safety. The tool tests websites by trying to exploit them using the Heartbleed bug, Valsorda said.
Valsorda said that he built the tool in a few hours but that he has kept working on it to improve how it works. He said the website, at http://filippo.io/Heartbleed, was being used about 7,000 times per minute Wednesday.
A check of the website Wednesday listed many popular sites as secure, including Facebook, Twitter, Gmail, Amazon and Yahoo.
Besides checking to make sure websites are secure, Valsorda recommends that users also keep an eye out for statements from their most frequented websites in case they were hacked through the Heartbleed bug.
Experts worry that hackers can use security information gathered via Heartbleed to create fake copies of real sites that will induce users to disclose more information.
“Avoid things like online banking and avoid sensitive sites if you’re not sure,” said Andrew Storms, director of DevOps at CloudPassage. “Some people will see it as overkill. But I think that’s the simplest guidance.”
What’s making the security community so nervous is just how little is known about how widely the vulnerability has been exploited to get personal and commercial information.
“This is an excellent example of vulnerabilities that exist within encryption products just waiting to be discovered,” said Lucas Zaichkowsky, enterprise defense architect for AccessData. “This particular programming error was introduced in December 2011 with OpenSSL version 1.0.1. Criminals could have been using it. Intelligence agencies like the NSA could have been exploiting it. It’s hard to say what those organizations have in their arsenal, being used quietly.”
The bug is also raising questions about the wisdom of relying on such a single standard.
“Having common technology is typically viewed as a good thing. But it can also lead to assumptions,” Sander of Stealthbits said. “People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”
Added Mark Bower, vice president of product management and solution architecture for Voltage Security:
“Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL.”
It’s also led to a debate about the reliability of open-sourced security tools.
“This is really serious and a big blow to the credibility of open source,” said Phil Lieberman, president of Lieberman Software in Los Angeles. “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home- and commercial Internet-connected devices on a global scale means that the Internet is a different place today.”