Heartbleed, the CVE-2014-0160 OpenSSL flaw that threatens security of communications across a terrifying large swath of the Internet, could hardly be worse. And yet. I believe that it’s unlikely to spur real and lasting change in either the mechanics of online security or the way individuals and companies deal with the situation.
Given the seriousness of the Heartbleed flaw and the publicity it’s generated, that might seem surprising. After all:
The bug has compromised security on an estimated two-thirds of the world’s websites, allowing hackers to potentially access personal information raning from usernames and passwords to SSL private keys.
Heartbleed affects many mobile apps as well.
Black-hat hackers and online criminals are already reported to be prepping to find ways to profit from the flaw, in what one observer calls “a gold rush” to take advantage of the opening before it's closed.
That means that unlike most security holes, Heartbleed's public revelations actually do make us more vulnerable than we were before -- at least until the patches are installed -- everywhere -- and all the potentially exposed passwords are changed.
To make matters worse, if such a thing is possible, the National Security Administration (NSA) has had to deny charges that it knew about and exploited the bug for years.
On top of the recent malware issues and corporate breaches in the news, you’d think a massive issue like Heartbleed would be the last straw, finally forcing individuals, websites, and IT shops to take security more seriously.
Well, here are two reasons that’s not likely to happen.
Reason Number 1: As noted above, Heartbleed is far from the first serious Internet security issue to capture the media’s attention. Some of the earlier breeches and malware scandals were plenty bad, too, but they haven’t materially changed the behavior of most Internet users. Too many IT organizations still don’t take security seriously enough, and it’s not clear to me how Heartbleed will change that.
Reason Number 2: While Heartbleed reveals a huge security hole, that vulnerability has yet to be connected to real-world consequences. Antone Gonsalves at CSO quotes Daniel Ingevaldson, chief technology officer for Easy Solutions, saying a list of 10,000 domains that were vulnerable, patched or unaffected by the bug found on Pastebin “is essentially a billboard" for bad guys looking for ways to grab passwords and other key information. But even if those lists eventually turn into a spike in identity theft and other crimes, it will be difficult to definitively tie them to Heartbleed.
Here’s the thing. Everyone from individuals to small businesses to large enterprises and even governments continue to show an amazingly ability to ignore online security problems. Unless and until people experience real losses themselves (or see it happen to someone they know), they tend to see online security as an abstract danger, far removed from their more pressing daily worries and fears.
In some ways, that’s a good thing -- who wants to be terrified out of using the Internet? But thinking that it won’t happen to you in the future just because you haven’t seen it happen yet is hardly a defense strategy.
So I’m hoping that I’m wrong. I’m hoping that Heartbleed will actually do some good by convincing more people and organizations to change how they secure their online activities and offerings.
I’m just not very optimistic about it. When I saw Neil DeGrasse Tyson speak recently, he casually joked that “Inertia is the most powerful force in the universe.” When it comes to online security, I think he may be right.