Secure Sockets Layer or SSL encryption has been at the core of internet security for almost two decades. More importantly, organizations and individuals have come to rely on it to protect sensitive information and privacy. It’s perhaps the most widely implemented security protocol in almost every facet of IT and information-based communications ranging from computing devices, cell phones, tablets all the way to Point of Sales (PoS) terminals and other devices.
Simply put, SSL provides a protocol for establishing an encrypted tunnel between devices and systems, allowing for secure transmission of data. It requires both systems to establish trust through information exchange before building the encrypted tunnel. The strength and integrity of the encrypted session relies on protecting the private encryption key that’s used in this process.
In order to maintain a secure SSL tunnel, systems send each other a regular signal or ‘heartbeat.’ ‘Heartbleed’ is the name of the flaw in an earlier version of the Open source SSL (OpenSSL) variant of this protocol which exposes information without encryption. OpenSSL is considered to be one of the most widely adopted variants of the SSL protocol. It is available free of charge and maintained in the public arena, significantly reducing associated operational costs.
A fix or a ‘patch’ for this vulnerability was released on the day ‘Heartbleed’ first surfaced. Research, however, has shown that this flaw in OpenSSL existed for up to two years prior to the fix without any acknowledgement.
‘Heartbleed’ allows an attacker to potentially extract data that would otherwise have been encrypted from the server that hosts it.
Exposed data may include usernames and passwords, credit card details, intellectual property, personal information of your users, customers and systems
‘Heartbleed’ leaves very little forensic evidence, making it extremely difficult to know if any information has been compromised
This vulnerability may have in some cases already allowed attackers to gain access to the private encryption key(s) and to potentially decipher encrypted communications on an ongoing basis unless this key(s) is changed
If your organization uses OpenSSL, you may have lost sensitive information or your private encryption key(s). This may have widespread implications including immediate and ongoing financial, legal, regulatory and reputational consequences for you, your customers and your supply chain.
As a precautionary measure, the Canada Revenue Agency (CRA) shut down public access to many of the online services to protect the information that could have been affected.
The Office of the Superintendent of Financial Institutions (OSFI) has stepped in to make sure the country’s financial service organizations are dealing with potential associated risks.
For a deeper conversation contact Patrick MacGloin, Director, Risk Assurance Services.