On April 7, 2014, a vulnerability in the OpenSSL cryptographic library was revealed, which created havoc in internet community.  Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security flaw is serious. Named as Heartbleed, it can reveal contents not only in secured message packets but also primary and secondary keys used for transaction of sensitive information such as credit card details. At the time of its discovery, more than 66% of web servers were vulnerable to this flaw.

Major websites such as Facebook, Twitter, PayPal, Instagram and Microsoft are although believed to be entirely unaffected by it, but security analysts still advise users to change their passwords in these sites, which anyway is a good practice. Still it is expected that major chunk of websites would be under the risk of Heartbleed attack in coming months, if not years.

Life after Heartbleed
Heartbleed has changed the way internet security is perceived, earlier organizations were happy to install IDS (Intrusion Detection Systems) on their network for detecting and discouraging attacks. The scenario has changed now. Heartbleed flaw resulted through an implementation problem, a programming error. Though the companies such as Oracle, Red Hat, Debian have come out with a patch of the OpenSSL version from 1.0.1g now, it completely changes the focus of internet security from external attacks to internal design implementation.

The good news however is that the company, Codenomicon, took the initiative to explain bug publically on heartbleed.com and was also responsible for creating the logo for it. This strategy made this serious flaw more accessible to general public and henceforth, pushed them to take this flaw more seriously.

For websites to be more secure in future, the Heartbleed flaw is a firm reminder of how we have handled such crises. For starters, any website development should go for more stringent Security audits. Another interesting aspect out of this has been users more focus on Password Management Services companies such as Dashlane, which after the Heartbleed crisis has received a funding of $22 Million. During that week, Dashlane received a tenfold increase in new user base. However, mitigation of such attacks can be done through a few basic measures, which if followed religiously are quite effective, they are:

  • Keeping anti-virus software completely updated and installing firewalls
  • Changing passwords regularly, especially after a website security has been compromised
  • Limiting private businesses and transactions on public WiFi and Signing Out at the end of a session
  • Users should be aware of phishing scams that can extract your credentials and make your accounts compromised and prone to attacks

The security battle is here to stay and nothing can be made entirely failsafe, as Heartbleed has depicted. Heartbleed is not the last security flaw we will be finding. But more investments on internet security, more security audits and responsible software organizations can definitely help in making internet more secure in future.