Whether we like it or not, we put a lot of trust and faith into the systems that carry our personal information. Our phones, our computers, and the ever evolving “cloud” are our repositories of the information we don’t want to memorize (phone numbers, calendar events, street directions, etc).
And they have become a space for us to look up for information we wouldn’t normally need (the atomic mass of ytterbium), and information we didn’t even know existed (like news).
Some of this information is private or, even if it isn’t, is guarded by security measures to restrict access to personal spaces in these services. So, in today’s highly integrated society, knowing access to those spaces is secure is a comfort that is enjoyed fairly implicitly.
We trust that the level of control we’re given will be enforced and maintained because we believe in the authentication model that has been in place for centuries. Passwords, which have been used as far back as ancient rome, are based on the simple idea to restrict access to a resource so that only people who are allowed are able use it. It was, literally, a word that let you pass through a barrier to entry. When the information age came around, we simply created a version of it in the digital world.
But, every now and again, we are reminded of the weakness built into the very foundation of that model. A password is nothing more than a piece of information and anyone, anyone with that token of knowledge has all of the privilege that goes with it.
With the recent outbreak of heartbleed, we need to change our system of authentication. Currently, passwords are the most common form of authentication. While the idea is genius in itself, technology has advanced past the idea of passwords.
Last week, companies and users around the world were given a wake up call when a vulnerability was discovered in a one of the most popular implementations of the technology that lets all of us use services like online banking, email, and online shopping with little fear for our privacy.
OpenSSL, an open source implementation of SSL, a the encryption standard computers use your computer uses to create a secure connections with each other services like GMail and Amazon.com, was found to have a bug in one of it’s most basic functions. For a better understanding of how this bug works, let’s walk through it step by step.
1. You tell your browser, “I’d like to connect to Gmail, please.” It says “okay” and hurries along to do your bidding, oh master.
2. It gets to GMail’s where it is told, “Listen, let’s communicate securely.” Your browser happily agrees and begins an encrypted connection using SSL. GMail uses On Google’s end, it uses OpenSSL to handle the connection, storing any data you want in the computer’s memory before sending it to you. This could be emails, images of cats, etc.
3. While you’re looking at the emailed images of cats in your email, your computer and Gmail want to keep the connection open for you, . Things are just faster this way. To do that, they will periodically poking e each other saying things like “Hey, GMail. Are you still there? If so, say this four letter word: cats.”
4. Knowing that your browser is trying to keep the connection open, it’ll read the message, count all four letters, and send back “Cats”.
This step is called the “heartbeat” because, just as your heartbeat tells doctors you’re alive, so does this exchange between your browser and Gmail. If you are nefarious, though, you can do a little technical trickery to get more information than you ought to. Let’s jump back to step three.
3. Instead of sending a heartbeat message that makes sense, you send this: “Hey, GMail. Are you still there? If so, say this 500 letter word: cats.”
4. Knowing that your browser is trying to keep the connection open, it’ll read the message, count the four letters in “cats”… and then keep counting. It will count all of the letters next to “cats” in its memory until it hits the 500th character and send to you all of characters it counted to. So, instead of receiving “cats”, you might receive “cats. Bob logged in with the password ‘truffles’. Bob wants to send this email… ‘Dear mom, thanks for all the cookies. Unfortunately, all of my roommates ate them…” and so on.
This is a big problem. Someone having the ability to read the memory of another computer remotely has tremendous security implications for everyone involved. And this isn’t a problem that was the result of a recent update.
This bug, dubbed Heartbleed, has been there waiting in the system since 2012 and there is no way to know if it was ever used. Now, before you decry technology and run off to live the Amish life, safe in the knowledge that nothing like this could ever affect you again, there is a measure of good news.
First, due to the importance of OpenSSL, most ojust about every major online services using it haves patched their servers to prevent the bug from working in the future. Second, most major financial institutions and online retailers were did not use OpenSSL or were otherwise not vulnerable. And third, for users of services that were found to be vulnerable (but are no longer so), protecting yourself is as easy as logging in and changing your password. This bug’s problem was not the result of a malicious attack nor a devious ne’er do well putting a some kind of secret backdoor into the code of OpenSSL, it was just a programming error: no more malicious than a waiter forgetting your drink, just wider in scope.
But there is a deeper concern at play. Very few people would have cared if it just leaked the contents of random emails. That information is private, sure, but the effects aren’t long lasting. It’s no more earth shattering than someone getting a random page from someone’s diary. But the fact that authentication information may have been part of it is what lends it the skin crawling factor it has.
Which brings us right back around to passwords. Heartbleed wouldn’t be an issue if everyone used a different password for every service they used, but the simple fact is that most of us don’t. It’s hard keeping so many passwords in our heads and we’ve been told over and over not to write them down. So, we use the same password or batch of passwords and, thus, when one of those is leaked, it’s disquieting because it’s a fundamental breach in our sense of security.
What we need, then is something better than passwords. We could use biometrics but fingerprint readers are hardly foolproof and, for now, require a separate bit of hardware. Companies, like Google, have been pouring money into this problem, but it’s understandably difficult to think outside of a paradigm that’s been around for, literally millennia. There are ways to beef up the power of passwords, like two-factor authentication, but that’s just a stopgap. It’s going to take some truly revolutionary thinking to come up with something to replace passwords, but I hope it comes soon.