The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
The Heartbleed bug put many consumers’ user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, an encryption technology used widely by businesses to protect sensitive data. By some estimates, the bug affected as much as two-thirds of the Internet; the flaw prompted thousands of Web users to change their passwords on Google, Yahoo, Facebook and other major services.
No examples have surfaced of anyone actually exploiting the vulnerability. But on Friday, Web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous — steal the security certificates that prove Google, for instance, is really Google.
CloudFlare’s initial tests suggested it was probably impossible for an attacker to steal a site’s security certificate and lure visitors to a duplicate that looked and behaved exactly like the real version. (Most browsers, if they detect an invalid security certificate, will block access to the site and warn the user that it may be illegitimate. But with a stolen certificate, a fake site would be allowed to load as if it were the real thing.)
For the challenge, CloudFlare urged Internet users to run their own tests on a dummy server with the Heartbleed bug. Hackers had to steal the security certificate from the server, then send a message to CloudFlare that was “signed” with the certificate in order to prove they had obtained it. Within nine hours of the challenge’s launch — and three hours after he began working on the problem — a hacker named Fedor Indutny became the first to crack the code.
“It was just a fun way of spending Friday evening time, and a good chance to try my skills in a legal hacking action,” Indutny wrote in an e-mail to The Washington Post. “After starting a script on a cloud server, I watched a movie and totally forgot about it. Checking the logs in approximately 1 hour, to my surprise, revealed a private key to me.”
Indutny’s coup was quickly followed by three more successful attempts at hacking the security key. One of the hackers, Ben Murphy, told The Post it took him two hours to retrieve the secret key from CloudFlare’s server.
Stealing the certificate is labor intensive. Indutny’s attempt involved making 2.5 million requests of the CloudFlare server before he finally obtained the key. But what was thought to be impossible now turns out to be doable. Web sites can indeed be tricked into giving up their identity papers, and those papers can be reused by malicious actors.
Changing your passwords will not protect you if you give them unwittingly to a hacker pretending to be your Web mail provider.
In the days after Heartbleed was revealed, many Web sites raced to update their systems. Those fixes plugged the immediate hole so hackers could no longer take advantage of the vulnerability. But in light of this latest discovery, many sites still appear to be vulnerable; an attacker could have used Heartbleed to steal a site’s valid security keys anytime before the site patched its systems.
The next step, experts say, is for all 500,000 affected sites — from mom-and-pop retailers to big conglomerates — to revoke their security certificates and issue new ones.
But as necessary as that process is, it could have dramatic consequences for Web users’ everyday experiences.
When you visit a secure site, your browser checks the site’s security certificate against a list of invalidated certificates. Depending on how it is designed, the browser probably downloads that list to your computer. Because sites rarely change their certificates, the lists are relatively short.
But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files, according to Paul Mutton, a security consultant at the Web services company Netcraft. Checking a site’s identity will take vastly longer.
“If a certificate authority has to revoke 10,000 certificates, that entry will have 10,000 certificates on it,” Mutton said. “And if browsers have to download that . . . we’re talking hundreds of megabytes.”
It’s roughly the equivalent of having to download 30 minutes’ worth of standard-definition video just to view a single Web page.
While there has been a modest uptick in the number of sites revoking and reissuing their security certificates since the new vulnerability was demonstrated late Friday, Mutton said, the rise has not been significant — meaning many sites are unaware they need to reissue their certificates or are delaying doing so.
The good news is that many of the Web’s most critical sites — those belonging to banks and governments — were not vulnerable to Heartbleed in the first place, so they will not have to reissue their certificates. Other Web services, such as Facebook, Dropbox, OkCupid and Netflix, were affected by Heartbleed and are in the process of reissuing their certificates or have completed the process. But hundreds of thousands of other sites may still be exposed.
Healey, of the Atlantic Council, said Web security firms are left with two distasteful options. The first option is to flood the Internet’s security infrastructure with tens of thousands of revoked keys per day and risk slowing down the Web in exchange for greater security. The second option is not much better.
“What’s the other solution? Ask people to be vulnerable for longer? That doesn’t strike me as particularly reasonable,” he said.
More on the Heartbleed bug:
This story has been updated.
Correction: An earlier version of this post misspelled the name of Netcraft's Paul Mutton.