'Heartbleed' fix may slow Web performance

Apr 15, 2014 by Rob Lever
The heartache from the Heartbleed Internet flaw is not over, and some experts say the fix may lead to online disruption and confusion

The heartache from the Heartbleed Internet flaw is not over, and some experts say the fix may lead to online disruption and confusion.

The good news is that most sites deemed vulnerable have patched their systems or are in the process of doing so.

The bad news is that Web browsers may be overloaded by the overhaul of certificates, leading to error messages and impacting Web performance, said Johannes Ullrich of the SANS Internet Storm Center.

"A good percentage of the websites are patched," Ullrich told AFP.

The patches enable the Web operators to obtain new that demonstrate they can be trusted by Web browsers.

But Ullrich noted that for each patch, Web browsers must update their list of "untrusted" certificates or "keys" that would be rejected.

"For the fix, the website needs to obtain a new private key and the old key has to be revoked," he said. "Browsers will not trust the old keys."

Browsers may usually update dozens of keys on a daily basis, but because of Heartbleed, that may rise to tens of thousands.

If the verification process takes too long, Ullrich said, the browser may simply declare the site invalid or show an error message.

"People will see errors," he said. "They will see an invalid certificate. They can either accept the certificate or consider it invalid."

The big danger is that Internet users may become so confused or frustrated that they ignore the warnings or reconfigure their browsers to no longer perform the security check.

"If people turn off those lists, then a hacker could get in," Ullrich said.

With thousands of websites seeking new security credentials, "some certificate authorities and website administrators have been making careless mistakes," online security firm Netcraft noted.

Warnings about the danger have grown over the past week, with everyone from website operators and bank officials to Internet surfers and workers who telecommute being told their data could be in danger.

The bug is a flaw in the OpenSSL encryption at "https" websites that Internet users have been taught to trust.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys or other valuable information.

The security firm Cloudflare reported last week that it appeared impossible to use Heartbleed to steal certificates to impersonate a website, but then reversed itself after a "challenge" to the security community brought out evidence these thefts were possible.

Google said that some versions of its Android mobile operating system may be vulnerable to Heartbleed. On Monday, it urged developers to create new security keys to ensure apps and other services can be trusted.

Trend Micro security specialist Veo Zhang said the latest evidence shows mobile phones are potentially vulnerable in two ways:

"This is because may connect to servers affected by the bug," Zhang said in a blog.

"However, it appears that mobile apps themselves could be vulnerable... We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device."

Some of the first evidence of hackers using Heartbleed have begun to surface in recent days.

British parenting website Mumsnet announced Monday that users' data had been accessed, potentially compromising 1.5 million accounts.

Officials in Ottawa said personal data for as many as 900 Canadian taxpayers was stolen after being made vulnerable by the "Heartbleed" bug.

The Canadian Revenue Agency last week shuttered its website over concerns about the Heartbleed bug.

Explore further: 'Heartbleed' hits 1.5 million users of UK parenting website

add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

Recommended for you

Man pleads guilty in New York cybercrime case

Nov 22, 2014

A California man has pleaded guilty in New York City for his role marketing malware that federal authorities say infected more than a half-million computers worldwide.

How to keep the world's eyes out of your webcam

Nov 21, 2014

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

Nov 20, 2014

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

Some in NSA warned of a backlash

Nov 20, 2014

Current and former intelligence officials say dissenters within the National Security Agency warned in 2009 that secretly collecting American phone records wasn't providing enough intelligence to justify ...

Russia hacking site spying webcams worldwide: Britain

Nov 20, 2014

Britain's privacy watchdog on Thursday called on Russia to take down a site showing hacked live feeds from thousands of homes and businesses around the world and warned it was planning "regulatory action".

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.