How to avoid Heartbleed or similar SSL related vulnerabilities?
By Albert CHING (CEO & CTO), TAN Jit Kiat (Director, Product Engineering ), and Priyesh PANCHMATIA (Director, Solutions)
April 24, 2014 – The latest disclosure of Heartbleed, an OpenSSL encryption bug, is yet another reminder of the security threats we continue to face. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users1.
This bug has resided in production software for more than two years and is described as “catastrophic” by leading security experts2. The immediate solution is to identify affected systems, apply the fix and update the SSL certificates. Users also need to be informed to change their passwords and track misuse of the exposed information.
Even if the bug is patched today, there is no guarantee that a similar type of bug does not resurface or stay hidden in software undiscovered. Such vulnerability with similar impact could arise in the future from another SSL library or application product.
It also leads to questions whether Secure Socket Layer (SSL) is sufficient to protect data confidentiality and integrity of online transactions. How can enterprises manage the risk of future data leak through web services and convince their customers that their data is safe from eavesdroppers? Would it have been possible to have done something to mitigate the risk of such an event?
To prevent exposure of sensitive data even if SSL encryption is broken, enterprises need a strong data protection solution such as end-to-end encryption (E2EE) to protect passwords and sensitive transaction data. E2EE ensures that sensitive data stays encrypted even within the memory of vulnerable web or application servers. It offers protection to the HeartBleed type of bug as well as prevents insiders such as software developers or DBAs from leaking sensitive data accidentally or deliberately. In fact both Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) have mandated financial institutions to adopt E2EE for protection of passwords as well as critical transaction data in the e-banking sites.
i-Sprint Universal Authentication Server (UAS) E2EE for Credential and Transaction Data Protection solution has been designed to meet the E2EE requirements. It is a complete end-to-end encryption solution that is bundled with a FIPS certified Hardware Security Module (HSM) and user endpoint encryption libraries that supports all major web browsers as well as Apple iOS, Android, Blackberry, Windows mobile platforms.
i-Sprint UAS E2EE solution is a proven solution among many financial institutions and provides an off-the-shelf product to enable organizations to encrypt the password and sensitive data and send the encrypted data over a communication channel in addition to the SSL protection. This is done by using an encryption library and key data to encrypt the data at the point of entry (user desktop/smartphone) before submission to the server side. This data remains encrypted all the way to the web server and even the application server. The data may be decrypted at the application server, however in the case of passwords, they remain encrypted and are verified inside a HSM. HSMs are cryptographic devices using tamper resistant hardware built to meet the FIPS standards. Thus the passwords are encrypted from the point of entry to the point of comparison. Apart from mitigating against Heartbleed type of vulnerabilities, this ensures that nobody in the intranet has access to the password in clear during transit and storage, as well as protecting against internal fraud.
In summary, effective data protection requires a combination of layered security solutions and the right processes. Organizations should not wait for the next web server vulnerability and should look into implementing End to End Encryption solutions at the application layer to protect their confidential information instead of relying on SSL protection.