Heartbleed patched but security time bomb is still ticking

Heartbleed, the bug that has preoccupied thousands of websites and millions of users over the past week, may well have been the biggest security flaw in internet history but it is unlikely to be the last…

Health check failed. El Payo, CC BY

Heartbleed, the bug that has preoccupied thousands of websites and millions of users over the past week, may well have been the biggest security flaw in internet history but it is unlikely to be the last.

Our entire security infrastructure is a mess because both ordinary people and elite security experts often harbour fundamental misunderstandings about security, design and privacy.

Heartbleed is a bug in OpenSSL, a library used by programmers to encrypt data on the web. Hackers may have used the bug to find your password for Facebook, Instagram, Google, Yahoo and possibly thousands of other websites.

Security Guru Bruce Schneier has called the situation “catastrophic” – an 11 on a scale of 1 to 10. And the craziest part is, Heartbleed is so simple that you can explain how it works in a six-panel comic strip.

Secure is not a fixed state

One serious problem is that many people think about security as a fixed state. We categorise some things as “secure” while others are “insecure”. Money in the bank is secure. Money in the sock drawer is insecure. When you see the little padlock icon in your browser, the website is secure. If there is no padlock, it’s insecure.

This is nonsense. Security is a spectrum. Making data more secure is expensive and inconvenient. So we compromise. We accept some risk to avoid high costs and frustrating access policies.

This confusion is exacerbated by our unrealistic views about the designers and engineers who build websites. We imagine designers who logically deduce optimal designs from a comprehensive list of requirements and testers who systematically rule out every possible bug.

But design isn’t like the maths problems you did in school where finding the answer is simply a matter of manipulating the information given. It’s a creative process that involves improvising as many systems have no meaningful requirements in practice.

A system like OpenSSL has an unknown, potentially infinite number of exploits. You can spend billions testing it and still not know for certain whether you have found them all.

Expensive locks on glass doors

Organisations appear to regularly spend enormous sums on fancy-sounding security technologies that are trivially easy to bypass. Take, for example, the millimetre-wave body scanners now found in many airports. These cost US$180,000 each and are used to create, save, store, and transfer naked images of you.

Even though they cost a fortune and significantly undermine our privacy, you can walk through a body scanner with a gun or a third of a kilogram of plastic explosive. Or, since children are not subjected to the scanners, you could just hide something on the kid and retrieve it on the other side.

Online, we primarily lock our data using passwords. But passwords just don’t work very well. Virtually everything that’s easy for you to remember is easy for others to guess. Everything that’s hard to remember has to be written down somewhere, and then someone else can find it. Hackers can also trick you into revealing your password or exploit password reuse to compromise your “password ecosystem”.

And hackers are not the only ones seeking to get their hands on your data. You may well wonder why you should bother having strong passwords when government agencies including the NSA systematically undermine encryption standards to more easily access your data on Facebook and other websites. Of course, hackers can exploit the same weaknesses created by the NSA.

Your password future

For most of us, opting out of online life because of the NSA or Heartbleed is unrealistic. However, there are some reasonable precautions you can take today.

First, you should get a password manager like LastPass or 1Password. These make it more convenient to use stronger passwords, and a different password on every site. Of course, if the password manager itself is hacked, you’re toast.

Use your new password manager to generate unique, strong passwords and enable two-factor authentication wherever possible. This adds an extra layer to logging in, such as sending a code to your mobile phone.

In the long term, it is important to recognise that individuals, companies, the media and politicians will use fear, misinformation and bad logic to try to sell you ineffective security systems.

They will imply that security is a state and that everything must be secure; therefore, security systems are worth whatever money, disruption, inconvenience and downright abuse involved.

This is a trick to keep you from simply weighing the costs and benefits. The truth is, airports do not need body scanners to stop hijackings and your internet service provider does not need to keep a record of every website you ever visit just in case it might be relevant to some frivolous copyright infringement lawsuit at some point. The NSA does not need access to the entire world’s communications to look for terrorists and the police do not need unmanned aerial vehicles to spy on citizens. These are all bad trade-offs –- they are expensive, invasive, abusive and most of all ineffective.

You should expect more security problems like Heartbleed in the future. Your average software developer, like your average person, does not really understand security. Smooth-talking salespeople con them into buying ineffective security systems and government agencies intentionally undermine security tools and treat privacy as the enemy.

For all the anxiety it has caused, Heartbleed has also spawned a public conversation about online security, encryption and how security systems are designed and tested. It reminds us that even the best system designers and security experts are human beings who make mistakes just like the rest of us. Next time you make a mistake, perhaps you can take solace in the fact that as bad as it is, you probably haven’t compromised half the internet for two years.