Everyone’s at fault for Heartbleed debacle

Everyones at fault for Heartbleed debacle

by KC Stanfield

By now it’s safe to assume Internet privacy is dead. Between stored cookies and the NSA spying on everyone, Internet users are generally being watched on every website they visit. This pales in comparison to the recent security bug known as Heartbleed.

[quote]The worst aspect of Heartbleed is it could have been prevented.[/quote] It’s one of those situations when everyone is partially to blame. We all use the Internet, but too many companies and people take advantage of free software without thinking of the consequences. Considering that not every student is a computer science major, allow me to explain Heartbleed and its importance.

Heartbleed is a flaw in encryption technology of the OpenSSL library. To oversimplify encryption, it’s supposed to keep your information safe from hackers. Now, Heartbleed allows attackers to retrieve personal information such as usernames, passwords and even credit card information.

Attackers are able to retrieve small amounts information from the memory of remote servers. The information is random, but since it’s difficult to detect, they can keep trying until they hit the jackpot. It’s a matter of chance with virtually no risk until they get something valuable. Even I could eventually win the lottery if all the tickets were free.

The main issue with Heartbleed is that so many websites and mobile applications use OpenSSL. Facebook, Yahoo Mail, Netflix, Dropbox, Pinterest and WordPress all use it. The list is much more extensive, which makes this one of the largest Internet security threats to date. Apparently, up to 500,000 websites have been affected, but considering how millions of results come up for a single Google search, that seems like a low estimate.

Most major sites have made patches, but it’s best to be safe and change your passwords. Security threats will always exist, but precautions must be taken to prevent anything similar in scope from occurring in the future.

This is not a new bug by any means. As a matter of fact, it has existed for approximately two years, but the threat of hackers exploiting Heartbleed is even greater. Heartbleed has gained international media coverage, which is a double-edged sword. Although this means consumers and companies can take steps to address the issue, more hackers are aware of it as well. It’s as if someone were to announce there was buried treasure under Mission Beach. Everyone from priests to criminals would be competing for it.

Heartbleed extends beyond commercial websites. Nearly 900 people had their information stolen from the Canada Revenue Agency, the Canadian version of the IRS. The suspect was arrested, but this demonstrates that even governmental websites are at risk.

The most obvious group to blame for Heartbleed would be the OpenSSL Project that developed the code. While it’s are directly connected to Heartbleed, the code is free to use and OpenSSL asks only to be credited. Additionally, the OpenSSL Project only has four people that work on the code, three of whom are volunteers. The project is funded by donations that usually amount to $2,000 annually, but has received much more this year because of Heartbleed.

[quote]Since OpenSSL operates on donations, everyone that uses the Internet and hasn’t donated to them is also partially to blame for Heartbleed[/quote]. We have a collaborative effort that probably receives less annually than a homeless person. It’s not as if companies such as Google have enough cash lying around to donate to the group responsible for their website’s security. Internet sites are immensely wealthy and the encryption code used by two-thirds of web servers doesn’t even receive enough money to pay for a semester’s tuition at San Diego State.

A security threat of this magnitude must not be allowed to happen again. Heartbleed could have been less severe, maybe prevented, if OpenSSL had more people dedicated to its code. At the very least, the bug could have been discovered in less than two years.

Many people take the Internet for granted and don’t appreciate online security until it’s gone. I know it would be more productive to squeeze water out of a desert stone than to ask college students to donate money to OpenSSL. However, later down the line, when you have the means (and aren’t eating ramen once a day) remember who to thank for the security of your favorite websites.