When reflecting on Heartbleed, I marvel at data indicating how quickly key websites and web services seem to have responded, honoring the trust of users, putting their safety first.
Heartbleed's vulnerability announcement was a little different than the classic Full Disclosure email or patch announcement - it had a website, branding, and pretty tight messaging. The technology community did not rest on their laurels and pontificate on validity- we uniformly launched into action, thanks in part to the clarity of the presentation.
While corporate security and IT teams raced to patch systems and deploy updated certificates, vendors worked aggressively to put out test signatures, and researchers launched websites and browser plugins to test specified websites for vulnerability.
Word spread, and the general public started to become aware that this vulnerability was about trust.
One question, that we security types live with, became top of mind in a new way: "Is this website safe to use?" Non-technical dialogue spiked when screenshots demonstrated that usernames and passwords could be accessible via this attack.
"CHANGE YOUR PASSWORDS" seemed like great advice, as it always does, until that nagging question echoed back, "Is this website safe to use?" sounding more important (again) as the common user (and us very justified and paranoid types) stopped to ask: "If the website isn't patched yet, should I give it my password?"
... and how are users to know? If it’s not obvious for security professionals, it’s likely much more confusing for the broader community.
Many websites announced their patched status, and recommended a password change. Others went a step further to email their users, educate and inspire confidence. Some remain silent... which brings inquiring minds back to start testing websites. The problem here is that it’s unclear where the legal limits are.
Understanding the Law
There are a couple of ways to test a website or web service for this vulnerability. The most accurate one involves directly testing the bug allowing someone to _read server side memory_ -- that is, looking at information on computers owned by others.
Internet users may not be aware that probing a vulnerable server that you do not own and you do not have explicit permission to test, to read memory that may contain secrets including other people's passwords may raise legal questions under the anti-hacking laws of many countries.
Shouldn’t people have a basic right to know when they are at risk? The challenge here is that in the technology-powered world we live in, it’s common for people to use and trust services that they do not own. Identifying how and where you are vulnerable may require testing systems and services that have a real impact on you, but do not belong to you – especially when those services are slow to fix vulnerabilities, or even tell their users whether they are at risk and how to protect themselves.
Technology and its impact on society are evolving so quickly that the law cannot easily keep up. Further complicating this, the internet is global, and not a network to which national borders easily apply.
Why does all this matter?
Last week we observed one of the largest campaigns of security testing ever conducted on the internet, undertaken by both the general public and security professionals all around the world. These people have been using a range of tools made available by the security community to help internet users identify whether they are at risk due to Heartbleed.
In a discussion with my friend Chris Wysopal (@Weldpond) about tools allowing the public to check a site for Heartbleed, he stated, "these tests are useful for users to get an understanding if they are at risk logging into a vulnerable site... The widespread scanning by researchers helps the community understand the scope of the problem."
These tools are designed to be so simple my mom can use them, and rightly so; I want her to know when she’s at risk, and I want her to be taking the necessary action to protect herself.
But what if she’s not just at technical risk, but also at legal risk because she’s accessing someone else’s computer and thus violating anti-hacking law? I know it’s unlikely the FBI will burst through my mom’s door and arrest her for checking whether her favorite social networking site is affected by Heartbleed. The principle remains: if the very law designed to help protect her from cybercrime is constructed in such a way as to bar action that would help her protect herself from cybercrime, isn’t that a problem?
So what does this all mean?
We have work to do in terms of building laws that address the problem of cybercrime without exposing people to further risk. I don’t know what the solution is, or how quickly it will come.
It does occur to me though that Heartbleed has created an interesting precedent:
- Hundreds, maybe thousands of people have gone on record, confessing on social media to testing web sites and services they do not own.
- People worldwide voluntarily admitted to performing a test where there would have likely been no record, all likely without explicit permission of the computer owners.
- This might be the most extensive security research effort to date, with non-security people around the world effectively scanning websites, concerned for their own safety.
This will hopefully help people understand the value of bona fide security research, and that it should not be impeded by laws designed to defeat cybercrime. The internet ecosystem is incredibly multi-faceted, multi-layered and interconnected. It’s complex, and any efforts to protect users, will also involve considerable complexity.
We need to spend time investigating and understanding that complexity and the associated risk. We need to appreciate that while it’s important to punish criminals for their crimes, it’s crucial to help people avoid becoming victims of crime in the first place. Prevention is less costly on both an individual emotional level, and an organizational financial level.
Join in the discussion with @Rapid7 and @treyford on Twitter, or in the comments section below.