Security researchers have this week revealed a bug in OpenSSL which has the potential to affect everyone no matter how good your computer security is. OpenSSL is deployed in around 60% of secure internet applications so there is a very strong chance that just about every internet user is at risk from this.
So what is it? SSL (Secure Sockets Layer) is a way for web servers to securely communicate with web users. Typically you will see this in action when entering credit card details when buying online, but it is also used for other types of secure communication such as email, file sharing, etc. It is often signified with a padlock sign and you will see a ‘https://www…‘ type address instead of a ‘http://www…‘ – it is the ‘s’ that should signify it is secure.
The best way to think of this communication is as a secure tunnel between two points. The data is passed along the tunnel: no one else can get to it, no one else can see it. Normally the tunnel exists for the duration of the transaction, however there is an option for the tunnel to be kept open for longer in certain circumstances. This exploit is effectively a window into the tunnel so that some, but not all, data can be seen. However, it also allows the tunnel to be kept open for longer than the transaction, allowing the exploiter more time to look through the window.
The SSL software is on the web server so there is nothing that the average internet user can do about this software – it is the responsibility of the web services providers to correct and there is currently a massive scramble to do so. We are talking familiar names here such as Google, Facebook and Amazon.
While looking through the window, some of the data exchange can be seen and there is also nothing you can do about this, it’s water under the bridge, history. Where you can take action is on passwords which may also have been visible. Credit, or debit card details are very much more problematic and the best advice there is just keep a very close eye on your statements.
It may be an error to change your passwords too early as work is still in play to close the exploit and the informed advice is to perhaps delay your online purchases until next week and change your password as you are doing so.
Is there any good news in this? Well yes, because it is believed that it has been found by the good guys first and the announcement has been delayed to give the major players time to sort things out before it has gone public. Also, because it could affect so many users, the chances of any one individual becoming a victim are reduced. It is also an opportunity to think about changing your passwords as you should do periodically and perhaps increasing the range and complexity of passwords you use – don’t just use the same ones over and over.
The final lesson, as we have learnt with the recent Snowden revelations, is that nothing is 100% secure, we are just managing probabilities.