After Heartbleed: code vigilance is the new normal

Heartbleed has exposed a massive vulnerability at the heart of internet security. As our lives move ever further online, we need more attention to our code.

It has been, if you’ll excuse the pun, a Heartbreaking week.

Those of us who were starting our explorations on the internet the best part of two decades ago will remember how worried everyone was back then about doing any sort of commerce. Using the internet for shopping was a sure-fire way to have your credit card details stolen – or so was the theory. It really didn’t prove to be the case.

Here we are, years later, and suddenly our online existence seems more precarious than ever. A simple bug has been found in OpenSSL, the cryptographic software that secures a very large number of sites on the internet. It’s a big bug. Huge, in fact. So huge that it completely undermines the security of every site running it.

Heartbleed bleeds information

The best explanation of how the Heartbleed bug actually works that I’ve seen comes from the webcomic XKCD. In short, it’s relatively simple to trick the software into surrendering more information than it should do. And that could include everything from private encryption keys to your usernames and passwords.

That, in itself, is pretty bad. This is a bug that has existed for the best part of three years. The theory that Open Source software is inherently secure because so many eyes are on it has proven false – because, as it turns out, there aren’t actually that many eyes on certain bits of the code.

What did the NSA know?

Worse, though, is the news that an agency who exists to defend people – Americans, at least – has known about this flaw for years, and done nothing to close it, because it proved useful to its own work. Protecting people by leaving them vulnerable: it’s a disturbing approach, and, if true, a clear sign that the NSA values its own convenience more than it values its role of protecting its people. It has, of course, denied the suggestions, but Bloomberg appears confident of its sources.

The consequences of this possibility for trust in the internet and the American security services are discussed at length in an excellent piece by Alex Wilhelm for TechCrunch.

If I may be allowed to combine the themes of this year’s and last year’s conferences: this is the new normal, and here be dragons. Online commerce is not going away. More and more of our personal information is going to travel around the internet, and yet code is inherently vulnerable. Simple bugs can have very serious consequences, as the Goto Fail bug in Safari showed clearly. This is another example of this.

So, where do we go from here?

An end to code complacency

We need to be a lot less complacent about our code. When Microsoft’s Windows operating system was becoming a free-for-all on the virus front, the company buckled down and concentrated on squashing every single security bug it could find. The net result? Windows is now an extremely secure operating system.

As more and more of our lives comes to rely on software, we need to be far more focused on this, rather than rushing to add feasters, on top of a shaky foundation.

Security through diversity

More than that, we need to encourage more diversity of software. Windows became such a target for viruses because it was the biggest game in town – by a long, long way. On the web, we’re seeing a similar shift towards single systems dominating. How much of the web does WordPress now power? What proportion is sitting on Linux/Apache web servers. The very thing that makes them so attractive – widespread use, with all the experience and scaling that comes with them – also make them a target. WordPress has done much to mitigate the risk, giving its software the ability to automatically update itself with the newest security releases when they need to be done.

But this week’s events show that we need a serious focus on security in all our software – including our security software. The price of the freedoms we enjoy on the web is this vigilance – that’s our new normal.

Image by snoopsmaus and used under a Creative Commons licence