What not to do about Heartbleed
April 17, 2014  

I’ve been surprised by the security community’s reaction to the Heartbleed OpenSSL bug. Heartbleed affects many web servers, and it gives attackers (or anyone else) an easy way to extract potentially sensitive data from the servers; for example, in some cases you can extract the encryption keys that protect the communication between web browsers and the server.

So this is a serious bug. But I have to disagree with experts like Bruce Schneier, who says that “On the scale of 1 to 10, this is an 11”, or Ed Felten, who says “The Heartbleed vulnerability is one of the worst Internet security problems we have seen”. There have been many, many bugs that potentially allowed attackers to not just extract information from but completely control a large fraction of web servers on the Internet (“remote code execution” bugs). So if we rate Heartbleed as an 11 then we have a totally useless scale of severity.

What is different about Heartbleed is the reaction to it. Rather than being largely ignored, as usual, there seems to be some agreement that steps must be taken: certificates must be revoked (even though it is not at all clear that any private keys were taken), and passwords must be changed (even though it is not clear that any passwords were taken). This doesn’t make sense, but I’m sure we’ll learn something useful by going through with the process.

Here’s something else that’s different, and dangerous. Heartbleed is rather easy to detect: you just send a message to a server asking for a too-long reply, and if you get a response of the desired length, the server is vulnerable. And for some reason, many in the security community think it is a good idea to actually go ahead and test real web sites for this bug.

This is a terrible idea. In the United States and many other countries, you can get arrested for this. In the US we have the notorious Computer Fraud and Abuse Act, which has been used by prosecutors to charge not only criminals but also some people who were just investigating security flaws in good faith. Regardless of what you think of such laws and their application, they exist, and you shouldn’t take it on yourself to test for Heartbleed.

In Canada, they have arrested a 19-year-old student for exploiting Heartbleed. I don’t know any particulars about the case, but I doubt that a 19-year-old kid is a criminal mastermind.