Learning from Heartbleed to Quantum-Proof the Future

Written by

A decade ago, a new vulnerability caused a collapse in our digital foundations. The Heartbleed exploit in OpenSSL – a widely used open source library used for the implementation of TLS/SSL protocol that connects everything – caused shockwaves across the globe. It became apparent that almost all digital systems had a fundamental flaw in the foundations of their security.

The flaw meant the system of identity – machine identities like TLS certificates – that authenticate everything from our banks to retailers to government online, had to be replaced.

It was a terrifying time. It wasn’t just another patch event. This required all TLS certificates to be rekeyed, replaced, and validated to have been updated. Something never done at scale across the internet and businesses. The crisis mode that resulted persisted for well over six months and was never completely mopped up. On a daily basis, new information about the full impact was emerging.

The vulnerability was running rampant and because almost every organization used OpenSSL somewhere, everyone was affected. Most companies were totally unprepared for an event of this kind.

As the 10-year anniversary of the vulnerability looms, it’s time to reflect: could something like Heartbleed happen again? And if it does, will we be prepared? With the threat of quantum computers capable of cracking widely used asymmetric encryption on the horizon, we face an even larger threat to our digital foundations – we could be hit with multiple Heartbleeds, daily.

We didn’t make our businesses Heartbleed-proof, but we can quantum-proof our businesses if we decide to act. We must learn the lessons of the past and prepare ourselves for the fast-approaching future. This means getting firm control over machine identities. 

The Vulnerability That Shook the World

The name Heartbleed has two elements. The ‘heart’ refers to the Heartbeat extension added to OpenSSL to check connection status. The ‘bleed’ is the ability for attackers to bleed the most closely guarded secrets, TLS keys and certificates, from servers just by saying ‘hello’ on the Internet.

When it was first discovered, conservative estimates suggested more than half a million public websites were laid bare – with the real figure likely to be much higher. The vulnerability went far deeper within business networks. This included household names such as AWS, Reddit, McAfee, VMWare, Oracle, and many more.

At first, it was unclear if Heartbleed could lead to such easy exploitation and release of machine identities. Cloudflare soon put any doubts to rest, showing how the vulnerability could be exploited to enable servers to cough up TLS keys and certificates. This could allow adversaries to masquerade as the most trusted websites – smashing the foundation of Internet security. Then the breaches started, and evidence that Heartbleed had been exploited in the wild emerged, with hackers quickly taking advantage to steal 4.5 million health records from Community Health Services in the US.

And the problem persisted well after the initial discovery. While patches were issued,

One of the biggest challenges was that patching alone would not remedy the issue. All TLS keys and certificates – the machine identities authenticating every website to the world – had to be rekeyed, reissued, reinstalled, and validated. This had never been done before, with some estimates putting the clean-up efforts as costing half a billion dollars.

Quantum Computing: Your Daily Heartbleed on Steroids

You’d hope that developments in cybersecurity mean we are better prepared for a Heartbleed-style event today. Unfortunately, the opposite could well be true. Back in 2014, our IT world was a lot simpler, with much less TLS and certificates in use. Today, with the shift to dynamic cloud-native architectures, the picture is more complex.

The volume, variety and velocity of machine identities has increased. TLS is everywhere. There are more than 290 million TLS certificates across the globe, jumping by more than 40 million in the last two years alone. Moreover, with Google on the verge of mandating 90-day expiry deadlines for certificates, rolling replacements and shorter lifespans are going to be the norm in no time. 

Yet, an even bigger risk is coming into view: quantum computing. When a quantum computer capable of cracking the asymmetric encryption that underpins our digital world’s system of identity emerges, all bets are off. 

It will be Heartbleed on steroids and all digital systems will be at risk. Some estimates suggest a quantum computer event or even a near event could be as soon as five years away. Those businesses with robust certificate lifecycle management practices in place will fare best in such a scenario.

Heeding Lessons from History

Things move fast in IT and cybersecurity. It’s easy to forget the devastating impact that events like Heartbleed can have. But we can and should learn from the lessons of the past.

Organizations need to ask themselves if Heartbleed happened today, would I be able to cope? Do I know where all my TLS keys and certificates are? Do I know how they are being used and secured? Can I tell if they’ve been compromised? If necessary, could I find and replace them quickly without stopping business? If the answer to any of these questions is no, you have a problem.

Thankfully, work is already underway to develop new quantum resistant algorithms that will spawn a new generation of quantum resistant machine identities. Yet, every company will be responsible for their own migration. Much like with Heartbleed, this will mean locating all the TLS keys and certificates that need to be replaced, understanding what they are being used for, and updating them in the least disruptive way possible.

We can quantum-proof our business. If we start to implement the required demands for certificate lifecycle management to meet Google’s 90-day requirement, we’ll be in great position for success whatever the future throws at us.

Yet as anyone that was on the ground for Heartbleed will tell you, manually swapping out all your TLS certificates is time consuming, complex, and prone to human error, so automation will be essential. But careful planning will also be vital. By taking steps to embed and mature machine identity management, your business wins today and armors itself for the quantum-proof future ahead. 

What’s hot on Infosecurity Magazine?