By Simon Rice, Group Manager.
Many of you will have heard of the security flaw which came to be known as Heartbleed. The flaw effectively allowed individuals with the right know-how to access the information being exchanged between individuals and some websites that were using a certain type of encryption software known as OpenSSL.
Until a few weeks ago, few people outside the world of IT security had heard of OpenSSL, SSL or TLS. For those that haven’t, SSL and TLS are standard security protocols that make sure that the communication between a client and a server (i.e. between your web browser and a website) is encrypted, so it cannot be understood if the data is intercepted. The most common way people will see that they are using the technology is through the padlock symbol being displayed in a web browser’s address bar, or the web address starting with ‘https’.
OpenSSL is a particular implementation of this technology. While estimates vary on its use, it is clear that OpenSSL is used not only across many websites, but also in many other connected devices, such as routers, video cameras and other devices that make up the so-called “Internet of Things”.
In early April, it was discovered that a change made to the OpenSSL code two years ago introduced the Heartbleed vulnerability. Thankfully a patch for the Heartbleed flaw was released at the same time the vulnerability was made public, but it does require the website administrator to take some action in order for the problem to be fixed. Without this update being applied the information could still be intercepted. This applies to all devices so make sure you apply any updates provided by the devices’ manufacturers.
While the Heartbleed flaw is in the processes of being resolved, another issue that organisations often overlook when using SSL or TLS is that there are two aspects to its use:
- encrypting the data in transit; and
- providing assurance of identity using digital certificates.
It’s quite common to see servers which have encryption set up, but have not set up a digital certificate properly. In most cases, this is inadequate. After all, what’s the point of having a secure line of communication if you can’t be sure who you’re communicating with? Your organisation must make sure the certificate they are using is setup correctly.
You should also ensure that your organisation is not using an older version of SSL as many of these no longer provide effective protection against interception. If you don’t have the expertise to resolve these issues, speak to someone who does.
The important thing to remember is that vulnerabilities are discovered all the time in all types of software. However, most won’t get their own logo or achieve the same level of media coverage as the recent Heartbleed flaw. You need to have a process in place to make sure your organisation is aware of the latest vulnerabilities and you are in a position to take steps to mitigate the risks presented for your IT systems at an early stage. If you don’t, your organisation’s IT system will become increasingly exposed over time as more and more vulnerabilities are discovered.
Information about how you can make sure your organisation’s website is securely using SSL and TLS encryption, along with advice on keeping your IT systems up-to-date, can be found in this week’s IT security report.
Tomorrow we take a look at password security and why there’s more to it than simply asking for ‘123’…
|Simon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|
Last updated 15/05/2014 14:15