By now you ought to have heard of it – Heartbleed, the catastrophic vulnerability that makes two-thirds of the Internet vulnerable to spies and hackers.
Heartbleed is the name being used for a catastrophic flaw in OpenSSL, a robust encryption protocol that organizations can use, for free, to safeguard their Internet data and transactions.
The Internet was not designed for security – anyone with enough knowledge and access can scoop up reams of data from public WiFi networks or compromised servers. So software developers and businesses came up with a set of encryption standards that could be used to keep data safe.
Under OpenSSL, your data – say, personal e-mails, traffic data, or credit card information – is encrypted at the browser level. This encrypted data is then transferred over the public Internet, and decrypted – ‘unlocked’, if you will – on the other end. A snoop scooping up data off a public WiFi network may get your encrypted data, but it will be useless to them without the proper key.
Except now, thanks to Heartbleed, they can get it.
And it’s not just limited to encryption keys. Any server running a compromised version of OpenSSL can be induced to give up anything stored in its memory – credit card numbers, passwords, private e-mails, and so on.
The e-commerce market alone was worth $231 billion in the United States. Privileged data – say, information that might allow insider trading – is sent via encrypted e-mail every day. And all of this was built on a foundation of trust in encryption technology – trust that, after Heartbleed, may be gone.
This is a huge, huge problem. And if you’re an organization that relies on the Internet to function – how can you rebuild the trust that allowed you to operate?
It’s a thorny question. But here are a few recommendations that might help you get started.
1. Do the right thing. Patches now exist to resolve the Heartbleed security flaw – implement them. If they cannot be implemented immediately, warn your customers – and if necessary, halt operations. This will prove that, despite flaws in encryption protocols, your organization is committed to customer security. In the end, OpenSSL is a tool – and apparently a flawed one. But tools can be replaced. A commitment to customer security cannot.
2. Be absolutely, utterly transparent. This transparency has emerged as a best practice. Tumblr, a blogging platform whose operations were compromised, has warned every one of its users that their passwords could potentially have been leaked – and so they must take precautions.
3. Understand that it is not your fault – but don’t try to pass the buck. This is a problem that affects most of the Internet. No one will be blaming your organization for a global security threat. But trying to pass the buck to the authors of OpenSSL is not a good look. Instead, focus your communications on what you are doing to fix the problem – and your stakeholders will see that you and they are in the same boat.
Michael O’Shaughnessy is a Senior Account Executive at Citizen Canada