Heartbleed is bandaged. Now how do we prevent the next one?


Disheartened by the fallout from Heartbleed? You’re not alone. The tiny bug in the world’s most popular SSL library poked huge holes in the security wrapping our communications with all kinds of cloud-based websites, apps, and services — and the holes aren’t even all patched yet.

The Heartbleed bug allowed attackers to peel back the snoop-resistant lining of OpenSSL and peek at the communications between client and server. This gave hackers a look at things like passwords and session cookies, which are small pieces of data that the server sends you after you log in and your browser sends back every time you do something in order to prove it’s you. And if the bug affected a financial site, other sensitive information you were passing through the Net, like credit card or tax info, may have been seen.

How can the Internet best protect itself against catastrophic bugs like this? We have a few ideas.

Yes, you need safer passwords: Here’s how to make them

Okay, so better passwords wouldn’t prevent the next Heartbleed, but they may save you from being hacked someday. Many people are just awful at creating secure passwords.

You’ve heard it all before: don’t use “password1,” “password2,” etc. Most passwords don’t have enough of what’s called entropy—they are definitely not random and they will be guessed if an attacker ever gets the opportunity to make lots of guesses, either by hammering the service or (more likely) stealing the password hashes—mathematical derivations of the passwords that can be checked but not reversed back into the original password.

Whatever you do, don’t use the same password in more than one place.

Many service providers approach this problem by requiring users to have passwords of a certain length, containing punctuation and numbers to try to increase the entropy. The sad reality, though, is that rules like this only help a little. A better option is long phrases of actual, memorable words—what has become known as a “correct horse battery staple” password, in honor of this XKCD comic explaining the concept. Unfortunately, you may (like I do) run into providers that won’t let you use passwords like that. (Yes, there are financial institutions that cap you at 10 characters. No, I don’t know what they’re smoking.)

Password-management software or services that use end-to-end encryption can also help. KeePass is a good example of the former; LastPass of the latter. Guard your email well, as it can be used to reset most of your passwords. And whatever you do, don’t use the same password in more than one place—you’re just asking for trouble.

Websites need to implement One-Time-Passwords

OTP stands for “one-time password,” and you may already use it if you’ve got a website/service set up that requires you to use Google Authenticator. Most of these authenticators (including Google’s) use an Internet standard called TOTP, or Time-based One-Time Password, which is described here.

What is TOTP? In a nutshell, the website you’re on generates a secret number, which is passed once to your authenticator program, typically through a QR code. In the time-based variation, a new six-digit number is generated from that secret number every 30 seconds. The website and client (your computer) don’t need to communicate again; numbers are simply displayed on your authenticator and you supply them to the website as requested in conjunction with your password, and you’re in. There’s also a variation that works by sending the same codes to you via a text message.

LastPass Android App
LastPass’ Android app

Advantages of TOTP: Even if Heartbleed or a similar bug were to result in the disclosure of both your password and the number on your authenticator, the website you’re interacting with has almost certainly already marked that number as used and it cannot be used again—and it will be invalid within 30 seconds anyway. If a website doesn’t already offer this service, it can probably do so relatively easily, and if you have virtually any smartphone, you can run an authenticator. It’s slightly inconvenient to consult your phone to log in, granted, but the security benefit for any service you care about make it worth it.

Risks of TOTP: Breaking into a server a different way could result in the disclosure of the secret number, enabling the attacker to create their own authenticator. But if you’re using TOTP in conjunction with a password that isn’t stored by the website—most good providers store a hash that is strongly resistant against reverse-engineering it—then between the two of them, your risk is greatly lowered.

The power of client certificates (and what they are)

You’ve probably never heard of client certificates, but they’ve actually been around a very long time (in Internet years, of course). The reason you probably haven’t heard of them is that they’re a chore to get. It’s far easier to just get users to pick a password, so only high-security sites tend to use certificates.

What is a client certificate? Client certificates prove you are the person you claim you are. All you have to do is install it (and one works across many sites) in your browser, then choose to use it when a site wants you to authenticate. These certificates are a close cousin of the SSL certificates websites use to identify themselves to your computer.

The most effective way a website can protect your data is to never be in possession of it in the first place.

Advantages of client certificates: No matter how many sites you sign in to with a client certificate, the power of math is on your side; nobody will be able to use that same certificate to pretend to be you, even if they observe your session.

Risks of client certificates: The primary risk of a client certificate is that someone may break into your computer and steal it, but there are mitigations for that risk. Another potential issue is that typical client certificates carry some identity information you may not wish to disclose to every site you use. Although client certificates have been around forever, and working support exists in Web server software, there is still a lot of work to do on both service providers’ and browsers’ sides to make them work well. Because they’re used so rarely, they get little development attention.

Most importantly: End-to-end encryption

The most effective way a website can protect your data is to never be in possession of it in the first place — at least, not a version it can read. If a website can read your data, an attacker with sufficient access can read your data. This is why we like end-to-end encryption (E2EE).

What is end-to-end encryption? This means that you encrypt the data on your end, and it stays encrypted until it reaches the person you are intending it for, or it returns to you.

Advantages of E2EE: End-to-end encryption is implemented in a few services already, like online backup services. There are also weaker versions of it in some messaging services, especially those that cropped up after the Snowden revelations. It is hard for websites to do end-to-end encryption, though, for two reasons: they might need to see your data to provide their service, and Web browsers are terrible at performing E2EE. But in the age of the smartphone app, end-to-end encryption is something that can and should be done more often. Most apps aren’t using E2EE today, but we hope we’ll see more of it going forward. If your apps aren’t using E2EE for your sensitive data, you should complain.

Risks of E2EE: For end-to-end encryption to work, it must be done across the board—if an app or website only does it halfheartedly, the whole house of cards may collapse. One piece of unencrypted data can sometimes be used to gain access to the rest. Security is a weakest-link game; only one link in the chain must fail to break it.

So, now what?

Obviously, there isn’t a lot that you, as a user, can control. You’ll be lucky to find a service that uses one-time passwords with an authenticator. But you should definitely talk to the websites and apps you use and let them know that you realize bugs in software happen, and you think they should take security more seriously and not simply rely on passwords.

If more of the Net uses these these advanced security methods, maybe next time there’s a Heartbleed-scale software catastrophe—and there will be, eventually—we won’t have to panic so much. 

[Image courtesy of scyther5/Shutterstock]


Instagram tool accidentally exposes user passwords. Were you affected?

Instagram's Download Your Data tool accidentally exposed the passwords of a small number of users. Here is the explanation on what happened, and how to find out which Instagram accounts were compromised.

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.

Save up to $850 with the best smartphone deals for November 2018

Need a better phone but don't want to spend a fortune? It's never a bad time to score a new smartphone and save some cash. We rounded up the best smartphone deals available that can save you as much as $850.

Apple applies for a patent on a wrap-around iPhone display

Previously, Apple was awarded a patent for a foldable phone, and the company has been rumored to be working on one. But it's not at all similar to other concepts. Here's everything we know about a folding iPhone.

Samsung Galaxy Note 10 display could be bigger than the iPhone XS Max screen

The Samsung Galaxy Note 9 was only released a few months ago, but Samsung is already working on a follow-up. Not much is known about the Samsung Galaxy Note 10 just yet, but we do have a few details.

How does fast charging work? Here’s every single standard compared

Modern smartphones can charge in mere minutes instead of hours. How does fast charging work? Here's a guide to the most popular standards, including Qualcomm Quick Charge, Apple fast charging, OnePlus Dash Charge, and more.

The Best Black Friday Deals from Best Buy in 2018

We've been hard at work assembling all the best Black Friday deals Best Buy offers in 2018 and putting them in one place to save you time and money this holiday season. From laptops to TVs, game consoles to smart speakers and much more…

Keep your phone organized with one of the best file managers for Android

Your smartphone has a limited amount of storage space and all sorts of files tend to accumulate if you let them. To keep things in order and find what you need, you should snag one of the best file managers for Android.

Upcoming Honor View 20 may forgo the notch for new display technology

Nearly a year after Honor released the spectacular Honor View 10, the Chinese smartphone giant appears to be hard at work on its successor, the Honor View 20. Here's everything we know about the upcoming midrange powerhouse.

The best Walmart Black Friday deals in 2018

Walmart has historically been the undisputed king of Black Friday deals. The mega-store is known for offering deals on products in almost every category, from smart TVs to children’s toys. We're combing through every deal as it is…

The Google Photos iOS app gets a bit better, now has depth control

Google updated the iOS version of the Google Photos app to now take advantage of the depth data that can be captured by the iPhone's camera in Portrait Mode. The new feature is already available in the Android app.

T-Mobile-Sprint merger could close as early as first quarter of 2019, exec says

T-Mobile and Sprint are finally merging. After a few failed attempts, the two companies announced their merger at the start of 2018. Once it's complete, the new T-Mobile could be better positioned to take on the likes of Verizon and AT&T.