There is justified concern regarding the latest discovery of a critical defect in the cryptographic software library of OpenSSL, which is by far the Internet’s most wide spread open-source cryptographic library and TLS implementation. According to Netcraft, OpenSSL is used on 2/3 of websites. It also ships in a wide variety of operating systems and applications, including the Debian Wheezy, Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE.
The Heartbleed bug, officially referenced as CVE-2014-0160, makes it possible for people to recover the private encryption key from the digital certificates used to authenticate Internet servers and to encrypt data transport. There’s no way of knowing if the bug has been actively exploited since attacks leave no traces in server logs. Still, the risk is huge, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.
The researchers who identified the issue confirmed that the bug makes it possible for attackers to access sensitive data residing in computers or servers’ memory by circumventing TSL protections (source: Ars Technica). The same researchers also warned that the bug has left a large amount of exposed private keys and sensitive data on the Internet for a long period of time. Businesses should be very concerned because in that scenario, an attack is easy but not traceable.
Best practices would suggest that companies replace their underlying TLS certificate and take other preventive actions. But that won’t be sufficient. All companies and their developers should use technology solutions to ensure their private keys are protected at all times. This OpenSSL crypto bug makes a great case for solutions like Cryptanium Secure Key Box. Such white-box solutions will encrypt the keys that OpenSSL uses in memory, so even if the attacker grabs the memory of the server, all the sensitive keys in memory are still encrypted.
Cryptographic algorithms and keys are used to protect sensitive data, authenticate communication partners, verify signatures, and implement various other security schemes.
The weak point in cryptographic algorithms is that in today’s open architectures, found in smartphones, tablets, and desktops, keys are usually revealed in the code or memory at some point. Hackers can monitor devices with special analysis tools and extract the secret keys. Without efficient key protection such as the one provided by Cryptanium, security features are in danger of being broken, as demonstrated with this latest OpenSSL vulnerability but also with last month’s GnuTLS library’s bug that left hundreds of open-source applications open to similar attacks, and Apple’s iOS and OSX HTTPS vulnerability in February.