Two Reasons why Heartbleed doesn’t really change anything

The Heartbleed bug in OpenSSL is a very big deal, but it would be a mistake to think it changes the overall security landscape

Heartbleed, the CVE-2014-0160 OpenSSL flaw that threatens security of communications across a terrifying large swath of the Internet, could hardly be worse. And yet. I believe that it’s unlikely to spur real and lasting change in either the mechanics of online security or the way individuals and companies deal with the situation.

Given the seriousness of the Heartbleed flaw and the publicity it’s generated, that might seem surprising. After all:

On top of the recent malware issues and corporate breaches in the news, you’d think a massive issue like Heartbleed would be the last straw, finally forcing individuals, websites, and IT shops to take security more seriously.

Well, here are two reasons that’s not likely to happen.

Reason Number 1: As noted above, Heartbleed is far from the first serious Internet security issue to capture the media’s attention. Some of the earlier breeches and malware scandals were plenty bad, too, but they haven’t materially changed the behavior of most Internet users. Too many IT organizations still don’t take security seriously enough, and it’s not clear to me how Heartbleed will change that.

Reason Number 2: While Heartbleed reveals a huge security hole, that vulnerability has yet to be connected to real-world consequences. Antone Gonsalves at CSO quotes Daniel Ingevaldson, chief technology officer for Easy Solutions, saying a list of 10,000 domains that were vulnerable, patched or unaffected by the bug found on Pastebin “is essentially a billboard" for bad guys looking for ways to grab passwords and other key information. But even if those lists eventually turn into a spike in identity theft and other crimes, it will be difficult to definitively tie them to Heartbleed.

Here’s the thing. Everyone from individuals to small businesses to large enterprises and even governments continue to show an amazingly ability to ignore online security problems. Unless and until people experience real losses themselves (or see it happen to someone they know), they tend to see online security as an abstract danger, far removed from their more pressing daily worries and fears.

In some ways, that’s a good thing -- who wants to be terrified out of using the Internet? But thinking that it won’t happen to you in the future just because you haven’t seen it happen yet is hardly a defense strategy.

So I’m hoping that I’m wrong. I’m hoping that Heartbleed will actually do some good by convincing more people and organizations to change how they secure their online activities and offerings.

I’m just not very optimistic about it. When I saw Neil DeGrasse Tyson speak recently, he casually joked that “Inertia is the most powerful force in the universe.” When it comes to online security, I think he may be right.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.