The Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7.
‘Catastrophic’ is the right word,” wrote Internet security expert Bruce Schneier on his blog. “On the scale of 1 to 10, this is an 11.”
That intensity of reaction is not surprising given estimates that around half a million of the Internet's secure web servers (some 17 per cent) were believed to be vulnerable to attack due to Heartbleed, in addition to countless embedded devices such as firewalls and routers.
An avalanche of media coverage means anyone affected has likely heard of the problem. Does that mean Heartbleed is yesterday’s story?
Absolutely not. Heartbleed remains very much a live issue and one that will not be fixed quickly.
The great challenge of addressing the Heartbleed vulnerability is that it requires a three-fold fix.
First; organisations that have deployed the flawed version of OpenSSL must replace it with the revised version; then revoke and re-issue their SSL Certificate ; and thirdly,, notify customers to change their passwords.
Any users who changed their password before step two occurred must do it again.
With all this however there is an upside to Heartbleed. It has shone a spotlight on the dirty secret of Internet security – the impoverished state of password management.
We use passwords to secure every aspect of our online lives. The problem is that for a password to stay effective, it must pass three simple tests: They must be unique, longer than eight characters (combining letters, numbers, symbols and CAPITALS); and changed regularly.
Password generators do a great job of this – but they create passwords that are so random they can be impossible to remember.
Password Managers in web browsers or third party tools like KeePas, LastPass, 1Password and Apple’s Keychain help, but they do not get around the problem that the owner of 100 web accounts should change each one four times a year – that’s more than one a day – never using the same one twice.
Who has time for that?
Clearly, one password per website is simply not feasible no matter which managers, generators or “shock horror” plain text word documents people might employ. The only obvious solution is to get rid of most passwords. And the fact is that we’ve known how to do this for a long time.
Using Single Sign-On type technologies such as SAML, openId or oAuth enables users to vastly reduce the number of passwords they need to manage.
SAML (Security Assertion Markup Language) is an XML-based open standard data format for exchanging authentication and authorisation data between parties, in particular, between an identity provider and a service provider.
Secure SAML-based Single Sign-On means users enter passwords less frequently – perhaps just once a day – so keyboard loggers and other forms of attack, both on the client as well as server end, (namely Heartbleed) become less effective – or at least vastly more difficult to exploit on a large scale.
Products such as Centrify User Suite – SaaS Editionprovide Single Sign-On identity management for web applications for a large range of devices and operating systems, from desktop and notebooks computers to smartphones and tablets. Centrify’s approach allows you to leverage your on-premise Active Directory (or a Cloud directory) to provide Single Sign-On to enterprise cloud-based applications. It also provides a password vault for those recalcitrant sites that have not yet implemented SAML or similar technologies.
Users then need to recall only one password to access almost all online resources – with two-factor authentication for those sites where one needs extra security. In addition, by combining what you know (your password) with what you have (your registered device), these federated services can use device-attestation to provide more flexible and stronger authentication.
The upside of Heartbleed is that it has hurt users and enterprises enough that they will actively consider password alternatives. Also, they will no longer accept out-dated security mantras such as “just pick a safe password and change it frequently” when it clearly does not work or scale.
Users and enterprises should no longer regard SAML as just a nice to have feature – but as a business critical requirement for any website they intend staff to interact with.
The websites of the world have been put on notice. Get behind certificate-based authentication, or you will risk losing your customers – with extreme prejudice!
If the enduring impact of Heartbleed is to prioritise the widespread adoption of SAML-based authentication, then the payoff will be worth the pain.
- Avoiding pitfalls on the productivity path to the Cloud Are you thinking of moving to Google Apps or Office 365? Or do you already use Dropbox, Box, Webex, Salesforce or one of the many Cloud services now on offer? Or do you want to kno...
- Today’s IT security needs tools not gurus How to secure the enterprise with Least Privilege By Centrify Asia-Pacific Regional Director Matt Ramsay It’s time we took a fresh look at the core problems bedevilling our enter...
- Bad habits are worse than bad guys in IT security IT security is at greater risk from the bad habits of system administrators than from bad guys actually hacking into infrastructure warns Centrify Asia-Pacific Regional Director Ma...
- Simple but strong: Why IdM (done right) is a no-brainer For the latest proof that passwords are passé, just look at the 4Chan nude celebrity photo uproar. Allegedly hacked from online storage services such as iCloud, intimate photos of...