Google updates its services to stop the bleeding
The Internet is all abuzz with news of the Heartbleed bug
which was discovered in the popular OpenSSL encryption library. For
those who haven’t heard, the OpenSSL library had a bug in it which means
that a cyber-criminal or a government agency can decrypt all the
traffic which was flowing over a supposedly secure connection. Most of
us use secure connections when we sign in to Gmail or Google Play etc
and send our email address and password to Google for verification.
A
secure connection is used so that an eavesdropper can’t read our
passwords. This isn’t only true of Google services, but all the major
services use HTTPS when we sign in or when you perform an online
financial transaction.
Google has announced that it has updated the OpenSSL library on its
servers (and we presume revoked the certificate keys) for Search, Gmail,
YouTube, Wallet, Play, Apps, and App Engine. The search giant says
that Google Chrome and Chrome OS are not affected.
Heartbleed is particularly severe because the bug has been in the
OpenSSL library for two years and if a government agency did discover
the bug (and didn’t tell anyone) then all past and future traffic to an
exploited website is open for decryption. The reason is that the actual
private keys which are associated with a site’s SSL certificate can be
read. Once the keys have been read then all traffic to and from the site
can be decrypted even traffic that was captured previously and stored
away in a deep government archive.
Tumblr has suggested that today might be a good day to “call
in sick and take some time to change your passwords
everywhere—especially your high-security services like email, file
storage, and banking.” The problem with Tumblr’s advice is that until
the major services actually give the all clear, like Google has, then changing your
password won’t be of any value as your new password can be just as
quickly compromised. Only once a service has updated to the latest version of OpenSSL and revoked its certificates can users safely change their passwords!
The ironic thing is that Neel Mehta of Google was actually credited with finding the bug.A few of Google’s services are still being updated most notable Cloud SQL, which Google says is being patched right now, and Google Compute Engine. In the case of the latter Google says that its customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL.
Google also reported that Android isn’t affected by the bug with the
exception of Android 4.1.1. The bug is called Heartbleed as the error is
related to the TLS heartbeat extension. Android 4.1.2 disabled the use
of the heartbeat functionality for better wpa_supplicant
interoperability.
The ironic thing is that Neel Mehta of Google was actually credited
with finding the bug, so you would have thought that Google had a head
start on fixing the issue and its services should have already been
secure before the news hit the net. Maybe Google has become too much of a
corporate for that to have happened!
No comments:
Post a Comment