Is Heartbleed the Biggest Web Security Threat Ever?

Even as the Heartbleed bug that has infiltrated Web sites and threatened millions of users runs its course, its impact is being assessed. And, as the extent of the vulnerability increases, a question is whether Heartbleed has set a milestone in Web security threats.

On Monday, a critical vulnerability was made public in some versions of the encrypting technology OpenSSL, which is used by hundreds of thousands of Web sites. The vulnerability was apparently undetected for nearly two years, and hackers can exploit it without leaving any sign they did so.

OpenSSL uses SSL/TLS encryption for security and privacy in Web sites, e-mails, instant messaging and other applications. The vulnerability could allow a hacker to steal sensitive data, including user names, passwords, and the keys used to decode encrypted transmissions.

'Implementation Problem'

A fix has been released and is being implemented by many sites. According to The Heartbleed Bug site, the bug is not a design flaw in the SSL/TLS protocol spec, but rather is an "implementation problem, i.e., programming mistake in popular OpenSSL library that provides cryptographic services."

On Friday, Reuters news service reported on recent warnings from security experts that the bug may be greater than just Web servers. The reason is that the unpatched OpenSSL code is also used in some e-mail servers, users' computers, smartphones and firewalls. There are also reports that version 4.1.1 "Jelly Bean" of Google's open-source operating system, Android, also has the same vulnerability, which, if accurate, would magnify the problem by millions of smartphones.

Security expert Jeff Moss, for instance, told Reuters that he is waiting for an enterprise firewall patch from McAfee. Cisco, Intel and other major technology companies are reportedly reviewing their products now to see if they are affected by the vulnerability.

Given the extent of the vulnerability, one question is whether Heartbleed represents the...

Comments are closed.