Blog: Heartbleed

WTF Heartbleed? Don’t make me move all my HTTPS services to HTTP and ditch SSL completely

consultant-placeholder10 Ken Munro 09 Apr 2014

Over the course of the last 24 hours I’ve seen a few familiar websites that I use suddenly remove SSL. Their response to Heartbleed wasn’t to upgrade and deal with it. They haven’t patched the Heartbleed flaw, THEY ACTUALLY REVERTED TO PLAIN TEXT HTTP AUTH!

Yes, I’m serious, they’ve actually done that!

It got me thinking though– if for some reason they couldn’t upgrade OpenSSL, the advised fix, but had or wanted to continue delivering services, what should they do?

Maybe they just don’t understand the significance of Heartbleed, which is hard to comprehend given that it is the most significant bug in a very, very long time.

Would they be better off simply removing SSL? Perhaps…

Heartbleed enables the scraping of content from memory. Passwords, sessions, private keys etc. It doesn’t matter if you run non-vulnerable IIS servers. If the perimeter devices that protect them are vulnerable you’re still exposed to the same risk. Numerous security product vendors have problems – Sophos, Juniper etc. etc. Repeat, this is a very big deal.

So if offering SSL leads to data theft, how about not offering it?

The issues that unencrypted authentication presents are well known, but the one critical requirement for a successful attack is the ability to run a man in the middle attack or otherwise sniff the data in transit. That’s harder than it sounds, unless you are the NSA/GCHQ and have access to tap internet backbones etc.

The easiest place is of course a wireless hotspot. Then again, who needs Heartbleed if you can simply SSLStrip the client connection. Though at least you’re only attacking the client, not the server. You might get a few sets of user creds, rather than compromise an entire business.

The two big takeaways here are:

  • Heartbleed is a seriously big deal, I’m genuinely concerned about some organisations lack of urgency to fix it.
  • As Danny Dyer might say “don’t let Heartbleed mug you off Son”.

So Yes, you might actually be better off dropping authentication to HTTP.

…assuming that you really can’t patch the flaw, really can’t take services offline, can’t mitigate any other way but don’t want critical data extracted!

And just to be clear, I’m not advocating removing SSL. Heartbleed and unencrypted authentication are both really bad.