Thursday, April 10, 2014

Sometimes I just hate my how we treat users!

Oh! We have a problem! Let's make the users jump through useless hoops, that will increase their trust in the internet. Not!

The latest example is HeartBleed, even the normally sane BBC News Channel is joining in the the hysteria.

Don't get me wrong the HeartBleed vulnerability is really really bad!
However the hysterical cries to "Change ALL your passwords!" is worse.

As a reminder here is the current flow:-
Flaw Detected in OpenSSL (Versions 1.01-1.01f)
 (NB Most sites are still using older OpenSSL code that is the sites are Not Vulnerable)
Some of the "in the know" sites update their sites, and keep their heads down.
Security Experts start crying "Update ALL your passwords!"
News Media picks up and echoes the cry.
The sites with the vulnerability patched keep their heads down.
The sites with the vulnerability unpatched keep their heads down.
Some sites update their Security Certs but not all...
Some Users Update ALL their Passwords wasting time and not getting any real increase in their security.
Most users just raise their eyebrows, and think "Not again!"

(NB Simply patching the OpenSSL code is not enough. The affected sites also need to update their security certificates. As an example O2 have patched and updated, it seems that EE have just patched and not yet updated their Security Certs. Though some Certificate Providers do not update their Certificate dates when re-issuing Certificates so, who knows!!)

Of my 257 internet accounts 249 of them were apparently not affected, either they were not on the affected versions, or they did not use SSL!

Of the 8 sites that Lastpass detected were affected, 5 of them had not yet updated their security certificates,  and only 3 had updated their certificates. So in fact I apparently just had 3 passwords to update.

A far more Open and sane approach to the process would have gone like this-

Flaw Detected in Open SSL (1.01-1.01f)
Some of the "in the know" sites update their sites: Goto **
Security Experts get the message out "Site Admins Update OpenSSL  (Versions 1.01-1.01f) and Certs
News Media keeps its head down. IT and Security Media repeats the message above
The sites without the vulnerability keep their heads down.
The sites with the vulnerability unpatched declare on their website that it is insecure but they are working on it.
The sites with the vulnerability patched and certs updated: Goto **

** Force re-authenticattion and password reset on ALL site users, admitting that the site had been vulnerable.

Funny how LastPass did not declare themselves as one of the affected sites, despite the fact they were, an example of the "in the know" keep our heads down approach to security and brand protection. Thank fully I use my Yubikey(s) to protect their site! I wonder how they have been compromised by Heartbleed?

Oh! how my HeartBleeds!

1 comment:

  1. Some good points.... but surely one can't rely on the Security Check from LastPass too much? A site might have been using a vulnerable version of OpenSSL one year ago and your credentials were then compromised, but has since updated to the version without the Heartbleed bug and at the point LastPass checks the site's version and certificate it all looks OK? So therefore would it not be prudent to change all passwords on potentially affected sites that use OpenSSL once they have patched and updated certs? To further complicate it, it's always possible a site has switched from a vulnerable version of OpenSSL to a completely different SSL technology without you ever knowing and therefore could also be open to compromise in the past. Guess it's a balance of really how likely are all these permutations converging to cause the issue - the swiss cheese of security!


Thanks in advance for sharing your thoughts...