11 Apr, 2014

Trusting the Web

by John Poulin

With all the drama this week relating to the Heartbleed bug, I wanted to reflect on a question that one of my students asked during a training session a few weeks ago. At the end of our Advanced Web Hacking class, this particular student looked at me and asked with sincerity, “Aren’t you afraid to use the internet?” My immediate answer was “Yes, but I do so anyway.”

In Bruce Schneier’s book “ Liars and Outliers,” the idea of trust is discussed on many levels and across many societies. He points out that we require trust to function as a society.

When we use the internet, we’re instilling trust in many people and organizations that play a part in our actions. We place trust in the folks that manufactured our computer, assuming they haven’t planted any sort of backdoors. We place trust in our internet browser, assuming it will load the specific webpage we have specified. We trust that the webpage we visit doesn’t contain malware or try to take photos of us with our webcam. We trust that the webpage has integrity and has not been compromised.

Last week I felt comfortable banking online because I trusted that the bank had passed compliance tests, implemented Transport-Layer Security, and employed trustworthy people. In my opinion, there is a lot to trust here, but the cost of driving 15 minutes to the bank just to perform a balance inquiry severely outweighs the cost of placing trust in the online implementation.

This week, I’m not as comfortable banking online. I no longer have the same trust in our society as I had last week.

The Heartbleed bug is a flaw in the implementation in many versions of the OpenSSL library. I won’t try to explain it in this post, but it is a serious flaw that allows attackers to retrieve small portions of system memory which may contain sensitive information such as credit card numbers, X.509 certificates, passwords, and more. In the words of our CEO, Jack Mannino, “I’d probably [rate] it at about a 9, 9 ½.”

This particular bug was extremely widespread and caused a lot of uproar across the InfoSec community. After all, a critical bug was discovered in an open source library that was designed to keep online transactions secure. OpenSSL is used for securing HTTP pages, email transactions, and much more.

In this case, I think our society put too must trust in a single library. We trusted that the code was functional and that it was going to protect transmission of sensitive data. We neglected to see a severe flaw which actually reveals sensitive data rather than protects it.

In a short amount of time, Heartbleed has affected many different people: the OpenSSL development team responsible for pushing out the most effective patch; the system administrators who will need to install/roll out the patch; the attackers attempting to compromise private information; and the users who are compromised.

Today, I may not necessarily trust many implementations of OpenSSL, but I do trust that developers and system administrators will do what they can to patch their systems. I trust myself enough to verify that my bank has mitigated the HeartBleed bug prior to authenticating.

So if the student were to ask me the same question today, I would respond with the same exact answer. Yes, I am scared to use the internet. But I trust the sites I use, the developers they hired, and the libraries the developers are using.

To succeed as a society, it is important that we have trust. It is also important that we don’t place too much trust in certain things. In the case of OpenSSL’s Heartbleed bug, I firmly believe that users are going to be more aware of the potential flaws that could arise in the implementation of a crypto library.

If you are interested in contributing to the OpenSSL project you can find more information here: https://www.openssl.org/source/.