A large chunk of the Internet is broken at the moment. OpenSSL, used by a host of companies and services to encrypt their data, contained a flaw for two years that, if exploited, allowed external parties to extract data from a server’s working memory in 64 kilobyte chunks.
That’s not much, but it was a very repeatable exploit, meaning that nefarious parties could hit the 64 kilobyte button again and again. Eventually, presumably, you would get the golden ticket: private encryption keys. With that, you could decrypt sensitive, protected data, and no one would be the wiser.
Here’s why this is even worse than you first thought: Even if you patch OpenSSL, you don’t know if your servers were previously compromised. You can throw out the old keys and generate new ones, but that only protects you moving forward.
Nicholas Weaver, a security researcher, said the following: “I bet that there will be a lot of vulnerable servers a year from now. This won’t get fixed.” It is rare that things are as bad as people say they are. This is one of those times.
Another caveat: If you were storing up pools of encrypted traffic, and then managed to extract the key to that data via the Heartbleed bug, all that past traffic would become exploitable. To quote Mathias Bynens, another security type: “ಠ_ಠ.” Bynens also points out that data encrypted using Perfect Forward Secrecy would not be at risk, which is a comfort to some.
Who has the capability to collect and store such information? The NSA, for one. The organization has become notorious for tapping the core cables of the Internet and even spying on corporate traffic intra-datacenter. Including, you will recall, Yahoo datacenters in Europe. Yahoo is one of the parties that was at risk from the exploit. You do the math. Yahoo recently announced that it has bolstered encryption in and between its datacenters.
In an emailed statement, Yahoo told TechCrunch the following:
A vulnerability, called Heartbleed, was recently identified impacting
many platforms that use OpenSSL, including ours. As soon as we became
aware of the issue, we began working to fix it. Our team has successfully
made the appropriate corrections across the main Yahoo properties (Yahoo
Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo
Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the
fix across the rest of our sites right now. We¹re focused on providing
the most secure experience possible for our users worldwide and are
continuously working to protect our users data.
This is not the only recent encryption debacle. The NSA paid good money for RSA to adopt a random number generator that was exploitable. This stuff is serious. If the NSA won’t stop its bulk collection of data, along with similar agencies of other countries, it matters that encryption works.
When it doesn’t, no one has privacy.
Update: Microsoft provided TechCrunch with the following statement: “We are following reports of an OpenSSL library issue. If we determine there is an impact to our devices and services, we’ll take necessary steps to protect our customers.”