Heartbleed is bandaged. Now how do we prevent the next one?


Disheartened by the fallout from Heartbleed? You’re not alone. The tiny bug in the world’s most popular SSL library poked huge holes in the security wrapping our communications with all kinds of cloud-based websites, apps, and services — and the holes aren’t even all patched yet.

The Heartbleed bug allowed attackers to peel back the snoop-resistant lining of OpenSSL and peek at the communications between client and server. This gave hackers a look at things like passwords and session cookies, which are small pieces of data that the server sends you after you log in and your browser sends back every time you do something in order to prove it’s you. And if the bug affected a financial site, other sensitive information you were passing through the Net, like credit card or tax info, may have been seen.

How can the Internet best protect itself against catastrophic bugs like this? We have a few ideas.

Yes, you need safer passwords: Here’s how to make them

Okay, so better passwords wouldn’t prevent the next Heartbleed, but they may save you from being hacked someday. Many people are just awful at creating secure passwords.

You’ve heard it all before: don’t use “password1,” “password2,” etc. Most passwords don’t have enough of what’s called entropy—they are definitely not random and they will be guessed if an attacker ever gets the opportunity to make lots of guesses, either by hammering the service or (more likely) stealing the password hashes—mathematical derivations of the passwords that can be checked but not reversed back into the original password.

Whatever you do, don’t use the same password in more than one place.

Many service providers approach this problem by requiring users to have passwords of a certain length, containing punctuation and numbers to try to increase the entropy. The sad reality, though, is that rules like this only help a little. A better option is long phrases of actual, memorable words—what has become known as a “correct horse battery staple” password, in honor of this XKCD comic explaining the concept. Unfortunately, you may (like I do) run into providers that won’t let you use passwords like that. (Yes, there are financial institutions that cap you at 10 characters. No, I don’t know what they’re smoking.)

Password-management software or services that use end-to-end encryption can also help. KeePass is a good example of the former; LastPass of the latter. Guard your email well, as it can be used to reset most of your passwords. And whatever you do, don’t use the same password in more than one place—you’re just asking for trouble.

Websites need to implement One-Time-Passwords

OTP stands for “one-time password,” and you may already use it if you’ve got a website/service set up that requires you to use Google Authenticator. Most of these authenticators (including Google’s) use an Internet standard called TOTP, or Time-based One-Time Password, which is described here.

What is TOTP? In a nutshell, the website you’re on generates a secret number, which is passed once to your authenticator program, typically through a QR code. In the time-based variation, a new six-digit number is generated from that secret number every 30 seconds. The website and client (your computer) don’t need to communicate again; numbers are simply displayed on your authenticator and you supply them to the website as requested in conjunction with your password, and you’re in. There’s also a variation that works by sending the same codes to you via a text message.

LastPass Android App
LastPass’ Android app

Advantages of TOTP: Even if Heartbleed or a similar bug were to result in the disclosure of both your password and the number on your authenticator, the website you’re interacting with has almost certainly already marked that number as used and it cannot be used again—and it will be invalid within 30 seconds anyway. If a website doesn’t already offer this service, it can probably do so relatively easily, and if you have virtually any smartphone, you can run an authenticator. It’s slightly inconvenient to consult your phone to log in, granted, but the security benefit for any service you care about make it worth it.

Risks of TOTP: Breaking into a server a different way could result in the disclosure of the secret number, enabling the attacker to create their own authenticator. But if you’re using TOTP in conjunction with a password that isn’t stored by the website—most good providers store a hash that is strongly resistant against reverse-engineering it—then between the two of them, your risk is greatly lowered.

The power of client certificates (and what they are)

You’ve probably never heard of client certificates, but they’ve actually been around a very long time (in Internet years, of course). The reason you probably haven’t heard of them is that they’re a chore to get. It’s far easier to just get users to pick a password, so only high-security sites tend to use certificates.

What is a client certificate? Client certificates prove you are the person you claim you are. All you have to do is install it (and one works across many sites) in your browser, then choose to use it when a site wants you to authenticate. These certificates are a close cousin of the SSL certificates websites use to identify themselves to your computer.

The most effective way a website can protect your data is to never be in possession of it in the first place.

Advantages of client certificates: No matter how many sites you sign in to with a client certificate, the power of math is on your side; nobody will be able to use that same certificate to pretend to be you, even if they observe your session.

Risks of client certificates: The primary risk of a client certificate is that someone may break into your computer and steal it, but there are mitigations for that risk. Another potential issue is that typical client certificates carry some identity information you may not wish to disclose to every site you use. Although client certificates have been around forever, and working support exists in Web server software, there is still a lot of work to do on both service providers’ and browsers’ sides to make them work well. Because they’re used so rarely, they get little development attention.

Most importantly: End-to-end encryption

The most effective way a website can protect your data is to never be in possession of it in the first place — at least, not a version it can read. If a website can read your data, an attacker with sufficient access can read your data. This is why we like end-to-end encryption (E2EE).

What is end-to-end encryption? This means that you encrypt the data on your end, and it stays encrypted until it reaches the person you are intending it for, or it returns to you.

Advantages of E2EE: End-to-end encryption is implemented in a few services already, like online backup services. There are also weaker versions of it in some messaging services, especially those that cropped up after the Snowden revelations. It is hard for websites to do end-to-end encryption, though, for two reasons: they might need to see your data to provide their service, and Web browsers are terrible at performing E2EE. But in the age of the smartphone app, end-to-end encryption is something that can and should be done more often. Most apps aren’t using E2EE today, but we hope we’ll see more of it going forward. If your apps aren’t using E2EE for your sensitive data, you should complain.

Risks of E2EE: For end-to-end encryption to work, it must be done across the board—if an app or website only does it halfheartedly, the whole house of cards may collapse. One piece of unencrypted data can sometimes be used to gain access to the rest. Security is a weakest-link game; only one link in the chain must fail to break it.

So, now what?

Obviously, there isn’t a lot that you, as a user, can control. You’ll be lucky to find a service that uses one-time passwords with an authenticator. But you should definitely talk to the websites and apps you use and let them know that you realize bugs in software happen, and you think they should take security more seriously and not simply rely on passwords.

If more of the Net uses these these advanced security methods, maybe next time there’s a Heartbleed-scale software catastrophe—and there will be, eventually—we won’t have to panic so much. 

[Image courtesy of scyther5/Shutterstock]

Product Review

Garmin’s Forerunner 245 Music is all a runner needs to measure performance

Garmin's new Forerunner 245 fitness watch offers advanced metrics, onboard color maps and music. Is this trio a winning combination? We put the watch through its paces to find out.
Emerging Tech

The best solar chargers for your phone, tablet, and other battery-powered gear

Looking for a gizmo that can help you charge your phone while on the go? Here, we've outlined the best solar chargers on the market, whether you're looking to charge your phone once, twice, or three times over.

Make some time for the best smartwatch deals for May 2019

Smartwatches make your life easier by sending alerts right on your wrist. Many also provide fitness-tracking features. So if you're ready to take the plunge into wearables and want to save money, read on for the best smartwatch deals for…

Get your gaming on the go with the 25 best Android games

The Google Play Store is loaded with both terrific and terrible gaming titles. We vetted the store to bring you some of the best Android games available, whether you're into puzzles, shooters, racing games, or something else entirely.

These are the 20 best Android games you can play offline

Even in our increasingly connected world, you don't always have an internet connection on the go. To help you pass the time when you're disconnected, we compiled a list of the best Android games that can be played offline.

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.
Product Review

Oppo’s cutting-edge Reno has a shark fin pop-up camera, and plenty of bite

The Oppo Reno has a very cool shark fin-style pop-up camera to make it stand out in a crowd, and a rear camera with a 10x zoom, plus there’s a 5G version coming soon. It’s truly up-to-date, with plenty of cutting-edge tech inside.

The best Amazon Prime Day 2019 deals: Everything you need to know

Amazon Prime Day 2019 is still a few months off, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.

Qustodio drops prices 10% on premium parental control software plans

With school almost out for summer, now is a prime time to keep your children's content consumption in check and protect your own peace of mind with Qustodio's premium parental control software plans, now available at 10% off.

As stock Android spreads, is it time for Android manufacturer skins to die?

Many Android device manufacturers seem to be moving towards a stock Android look and ditching separate skins, but there are a few notable exceptions. Do manufacturer interfaces for Android still add value, or is it time for them to die?

Prevent a broken screen with the best Google Pixel 3a XL screen protectors

The Pixel 3a XL is a solid choice if you're looking for a midrange phone with a large screen and a great camera. But it still needs protecting. Here are the best Pixel 3a XL screen protectors to keep your big display safe.

Guard your Galaxy with the best Galaxy S9 and S9 Plus screen protectors

The Galaxy S9 and S9 Plus are two of the best phones to ever grace this planet -- but the screen still isn't brick-proof. Here are the best Galaxy S9 and S9 Plus screen protectors to keep yours safe.

Huawei's situation in the U.S. may improve when trade war is resolved

The U.S. Commerce Department has added Huawei to its "Entity List." Google, Intel, and ARM are all confirmed or rumored to be ceasing business with the company, which may have disastrous effects on Huawei.

Best Memorial Day sales 2019: Amazon, Best Buy, and Walmart deals

If you're looking to save big on some shiny new stuff for Memorial Day 2019, we've gathered everything you need to know into one place. Find out where to save the most money before the summer hits its stride.