The Heartbleed Bug is about more than just passwords

Heartbleed24 hours after posting my “Heartbleed Bug for non-nerds” FAQ, I’m finally starting to see some coverage of the issue aimed at the general public in the press. Which is great! The general public needs to know about this. It’s a critical, urgent security issue for millions (billions?) of people.

The problem is that this coverage isn’t really getting at the things that are most worrisome about Heartbleed. They’re focusing instead on a very small slice of it: the potential compromise of user passwords. And that undersells the amount of damage that Heartbleed has done, and gives you a misleading picture of how much you should be worried about it.

My theory is that the stories are following this angle because “Web site hacked, everybody change your passwords” is by now a story that is familiar in every newsroom. It’s so common that when reporters are presented with a new security vulnerability like Heartbleed, their knees jerk and they reflexively start writing stories about how you need to change your passwords.

The problem is that Heartbleed is not like those other vulnerabilities. Heartbleed is much worse.

The reason is retrospective. Regardless of whether or not you change your password today, everything you have done on a Heartbleed-vulnerable server between December 31, 2011 and whenever that server gets patched has been vulnerable to eavesdropping. If an attacker took advantage of the bug during that period, in other words, they potentially had access not just to your password, but to everything you saw and did on that server. If you downloaded a PDF of a bank statement, they could potentially get a copy of that PDF. If you submitted your credit card information in an order form, they could have potentially grabbed that card info. If you read your email through a “secure” Web interface, they may have been reading it right along with you — and downloading a copy for their own personal reference library.

Everything you did on that server, you effectively did in public. For more than two years.

And the thing is, there’s nothing you, or anyone else, can do to un-ring that bell. If your information leaked, it leaked, and that’s that. Changing your password is only closing the barn door after some horses have bolted, to prevent any more from getting away.

This is the Heartbleed bomb that is still waiting to go off in the public mind, I think. People are realizing that Heartbleed was a Big Deal, and that they’re at risk of having had their passwords compromised, but what they aren’t realizing is that for two-plus years their passwords were more or less irrelevant. If they had information on a Heartbleed-vulnerable server, and they ever accessed that information, an attacker armed with knowledge of the bug could get at their information without ever needing their password. It would have flowed to them as easily as if the login form never even existed in the first place.

(This is also why another common response to Heartbleed — urging people to start using two-factor authentication — is kind of beside the point. Two-factor authentication is in general much better than a password by itself, and you should definitely use it wherever you can; but if the┬áserver’s encryption keys are compromised, it doesn’t matter how secure your login process is, since an attacker can just sidestep it altogether. It’s like building a massive fortress gate and then forgetting to build an actual wall on either side of it.)

I think the reason why this angle is under-reported at the moment is just because reporters in the general media are still getting their arms around this story and aren’t tech-savvy enough to have figured it out yet, and tech companies that were vulnerable to Heartbleed have little incentive to raise the issue; because there’s nothing anyone can do to undo the damage, it’s better from their perspective to just focus on the password issue and hope that people don’t look much beyond that. But it’s a major, major, major problem, and one that people really need to understand better.

Should you change your passwords on Heartbleed-vulnerable sites? Once they’re fixed, absolutely you should. But passwords are only the beginning of the story of Heartbleed’s risk to you, not the end of it.