Heartbleed was huge. Massive. A giant, gaping hole that was able to be exploited in several ways and somehow was unnoticed for over two years. It was an embarrassment, a black eye for the OpenSSL Foundation and really all who use OpenSSL for encryption… which is the majority of the Internet, and most of the world’s internal sites and apps as well.
The first confirmed data losses due to the Heartbleed Bug were on April 14th, when the Canadian Revenue Service lost 900 social insurance numbers (the equivalent of a Social Security Number) in six hours to a determined college student. Bad? Yes. But destructive at the worldwide level that we believed possible? Not even close.
So here’s my point. Heartbleed had a big, fat, silver lining. In the span of a few days, millions of administrators reset their private keys and reissued their SSL certificates. We have confirmed very little actual harm caused by the vulnerability, and we have documented millions of websites and apps applying patches, updating their software, resetting their private keys and reissuing certificates. If only we could inspire this type of prophylactic activity on a regular basis. It’s like pulling teeth to get users to reset passwords, but one well-publicized breach and folks are clamoring for it. Many consumers are being proactive and using tools to specifically avoid unpatched websites. These are steps in the right direction.
Don’t get me wrong. I won’t be wishing for another Heartbleed. We have our hands full as it is with the eBays and Targets of the world. But I’m absolutely certain that there will be another bug… probably worse/bigger/more widespread/more exploited/etc than Heartbleed, and it will be exposed in the fairly near future. Such is life in this industry. The ‘next big thing’ always includes the raised stakes inherent in our bigger Big Data, our faster connectivity, and our multiplying endpoints. Luckily, we are making leaps forward every time we are faced with these threats, and we have very very very smart folks on our side.
My bigger concern had been that we will become jaded and tuned out to the dangers. Target and eBay dropped the ball on their crisis responses, but banks and credit card companies responded swiftly and effectively. Anecdotally, I have talked to a lot of people who were prompt to reset personal passwords and treat their identity protection with the proper level of respect and attention that it deserves. The strong performance of site administrators and product architects worldwide in their response to Heartbleed has shown me that we have many reasons to be optimistic. Here at SafeLogic, we had patches rolling out within hours of the announcement, and we were not alone. As we approach the tipping point toward the Internet of Things, our vigilance must remain strong, and the industry’s unified response to Heartbleed has actually helped me sleep better at night.