Heartbleed Screed: OpenSSL goes AWOL

hb-blogAm I the only one surprised to learn that SSL, the bedrock upon which all these supposedly secure websites are built is an open-source code—meaning 66 percent of so-called “secure” sites on the web entrusted their customer and client data to a largely unsupervised volunteer workforce?

With the proliferation of WordPress, also open source, most creative agencies, including marketing and public relations firms, have added web design to their menu of services. SSL Certificates are sold, and installed, by all of the major web hosting companies.

The marketing pitch behind open source software is the Linus Law, named for Linux inventor Linus Torvalds, which states that the more eyes involved in reviewing and revising source code, the faster bugs can be found and fixed. That’s fine, in theory, but I’m not sure I’d trust my money to a bank that picked my pin number by committee. And, as we have learned, it took those many eyes more than two years to figure out that their super-secure encryption formula was so badly flawed that a savvy hacker could pick the data lock on all of those websites in, literally, a heartbeat.

What makes Heartbleed most alarming is that it can be virtually invisible, attaching itself to a verification signal called a heartbeat, a digital ping attesting that a website is secure, emptying the vault as it proclaims the impossibility of someone doing so. It kind of reminds me of the Martians in the cult classic “Mars Attacks,” blasting away with lasers while proclaiming: “Stop. Come back. We come in peace.”

Facebook, Instagram, Pinterest, Twitter, and others have acknowledged that their sites were vulnerable but have since been repaired. Multiple large corporations have followed suit and recommended that users change their passwords to ensure no breach of their data.

Companies are running their software through a test that is supposed to check for the flaw, but the question remains: How do we know that the Internet is safe? Is online banking or online shopping really a smart move when even a so-called secure site can be so easily compromised?

The truth is we don’t know. The best way to protect yourself against Heartbleed is to change your passwords on the websites that have been affected — although, that’s really just window dressing until the security breach has been fixed. And, even then, we can only take someone else’s word for it.

As much as we have all come to rely on e-Commerce for everything from books to banking, the Heartbleed bug should remind us that we’re still living in the frontier days of the Internet. I’m not suggesting we turn back. But it’s important to know there are desperadoes out there. Proceed with caution.


This link to post was originally published on link to http://www.bradkuhnandassociates.com/news

Leave a Reply