The web has been aglow this week with talk of Heartbleed, the major security vulnerability in a particular version of OpenSSL. For those of you just catching the news, Heartbleed is:
a bug in the open-source cryptography library OpenSSL which allows an attacker to read the memory of a server.[ref]Heartbleed bug[/ref]
It’s a bug that, for a short time, affected the majority of servers on the Internet. It’s also a bug that was fixed on the majority of this majority of servers in a remarkably short period of time.
So why are we still talking about it?
Marketing
Before news of Heartbleed broke, the developers who discovered the bug locked down a catchy name, a .com for a detailed description of the vulnerability, and even a logo. “Heartbleed” is highly recognizable, and also somewhat descriptive of the underlying bug itself – how a “heartbeat” request can “bleed” information to an attacker.
The fact that Heartbleed, otherwise known as CVE-2014-0160, had its own name, website, and logo before many webmasters were even aware of the vulnerability is one of the reasons so many people are talking about it. Many in the tech community feel the exploit should have been fixed by vendors first, then disclosed to the public.
I disagree.
A non-technical friend of mine asked me yesterday if she should be concerned about Heartbleed. She runs her own website (with the help of a few tech savvy friends), and had heard through Twitter about the potential insecurity of her server. I assured her that, since she wasn’t serving SSL content in the first place, she had nothing to worry about – upon closer inspection, her server is not configured to support the heartbeat protocol in the first place.
After assuaging her concerns, I asked another friend at the table if he’d taken the time to update his MacBook to OSX 10.9.2. He didn’t know what I was talking about.
Unlike Heartbleed, CVE-2014-1266 is known just as “the Mac SSL bug.” It’s arguably more dangerous for consumers (read: people who use computers for day-to-day life but don’t necessarily host websites with or without sensitive data), but also not well-known outside developer circles.
The collective “huh” I got in response to my question, particularly compared with the reaction to (and knowledge of) Heartbleed was very telling. No one knows or cares about bugs or vulnerabilities tagged with a meaningless CVE identifier – give the bug a catchy name and logo, and they’ll be demanding it be fixed immediately.
Heartbleed was discovered 2 days ago, and has already been patched on the majority of affected systems. “The Mac SSL bug” was discovered in late February, yet there are consumers in April still using vulnerable devices to check their email, pay bills, and authenticate against secure servers.
The difference between the two is in the way each bug was presented to the public. In other words, marketing matters.
Responsible Disclosure
The question still remains: was the systems team being irresponsible by disclosing the OpenSSL bug to the public before reporting it to the vendors?
Yes and no.
Yes, because the Heartbleed website contained full details of the exploit, allowing nefarious individuals to hack (and steal) data from allegedly secure systems before maintainers could react to the knowledge of the exploit.
No, because OpenSSL is an open-source project and, even if the project team were notified (and pushed a fix) before disclosure, there is no guarantee effected systems would be patched prior to going public. Even had OpenSSL been updated a day, a week, a month before the exploit released, it’s highly unlikely sysadmins would jump to apply a patch quickly enough to make a difference.
By disclosing with a highly marketable name, to the consumer public rather than isolated developer circles, the team that discovered Heartbleed ensured that the underlying issue would be resolved quickly. Further, they helped educate an uniformed public to not take systems security for granted but to look at the details of systems installations and ask questions of their hosts and contract teams.
For all the damage Heartbleed did on its own, disclosing the issue in such a way did far more good than harm.