Perhaps more than any of the myriad leaks, hacks and whistleblower disclosures of the past year, the Heartbleed scandal has revealed just how fragile Internet security really is.
Revelations of a flaw in some of the Internet’s fundamental security software has shaken both the development community and everyday Internet users. The bug, called Heartbleed, essentially allows unauthorized people to access a type of supposedly protected Internet traffic guarded by software called OpenSSL.
Not only did Heartbleed allow for this information to be accessed unnoticed, the bug itself went undetected for more than two years. So vast was the potential impact that most security experts could offer average users no better advice than to check that their service providers had patched the hole – and then simply change all of their passwords.
“It would have been very difficult, until it was public, to look for [the Heartbleed bug],” John Miller, security research manager at security firm Trustwave, said. Had a person or organization exploited the bug in the past two years, he added, “likely nobody would have been aware.”
It now appears that someone had been doing exactly that. On Friday, several news outlets reported that the U.S. National Security Agency, which for years has worked hand-in-hand with researchers to find and fix these sorts of bugs, knew about Heartbleed for two years, but said nothing. If true, the revelation is part of a growing body of evidence that government agencies responsible for both spying and digital security are increasingly prioritizing the former over the latter.
A spokesperson for the White House’s National Security Council denied the reports on Friday. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April, 2014, are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.”
In the world of computer security, the NSA is more than just a spy agency. For years, the department has used its massive resources and technical expertise to help make encryption and other such tools safer. Indeed, along with the Communications Security Establishment Canada, the NSA plays a significant role in approving software and algorithms that are safe enough for North American governments to trust with secret information.
This is in part because, for years, the agency prioritized defence – in other words, keeping American secrets safe – over offence. But as many Edward Snowden revelations and now the Heartbleed scandal have shown, the NSA’s focus on snooping may now be taking precedence over everything else.
OpenSSL is known as “open source” because its inner workings are visible to anyone (unlike, say, the code behind proprietary software, such as Microsoft Word). Since the discovery of the Heartbleed bug, some have criticized major companies for relying on open-source code to protect their web services.
But the bug may not have been caught at all if outside researchers were not able to freely prod the code, looking for weaknesses.
“All the infrastructure for the Internet is based on open-source software and OpenSSL is one of the key pieces,” Bob Tennent, a professor at the School of Computing of Queen’s University, said. “If you were to turn off all the open-source programs, there wouldn’t be an Internet right now.”
In Ottawa, the Canada Revenue Agency said Friday afternoon that it is “making good progress” in responding to Heartbleed and continues to anticipate having its services back online at some point over the weekend.
Meanwhile the Treasury Board’s chief information officer issued a directive urging government departments running unpatched OpenSSL software to “immediately disable” their public websites.
But while many major companies and governments were happy to take advantage of the free OpenSSL code to protect their Internet traffic, far fewer contributed any resources to the development and upkeep of the code. The result was, in many ways, a ticking timebomb – one of the most complex and vital pieces of Internet security software being run and updated by a small, sometimes overwhelmed and severely underfunded group of programmers and security experts.
“OpenSSL is an under-the-hood component,” said Steve Marquess, who manages the OpenSSL Software Foundation. “Most people are never aware that it’s there. That led to it being taken for granted.”
With a file from Bill Curry in Ottawa