How to avoid Heartbleed or similar SSL-related vulnerabilities

The latest disclosure of Heartbleed, an OpenSSL encryption bug, is yet another reminder of the security threats organizations continue to face.  The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

This bug has resided in production software for more than two years and is described as “catastrophic” by leading security experts.  The immediate solution is to identify affected systems, apply the fix and update the SSL certificates. Users also need to be informed to change their passwords and track misuse of the exposed information.

Even if the bug is patched today, there is no guarantee that a similar type of bug does not resurface or stay hidden in software undiscovered.  Such vulnerability with similar impact could arise in the future from another SSL library or application product. 

It also leads to questions whether Secure Socket Layer (SSL) is sufficient to protect data confidentiality and integrity of online transactions. How can enterprises manage the risk of future data leak through web services and convince their customers that their data is safe from eavesdroppers? Would it have been possible to have done something to mitigate the risk of such an event? 

To prevent exposure of sensitive data even if SSL encryption is broken, enterprises need a strong data protection solution such as end-to-end encryption (E2EE) to protect passwords and sensitive transaction data.  E2EE ensures that sensitive data stays encrypted even within the memory of vulnerable web or application servers. It offers protection to the HeartBleed type of bug as well as prevents insiders such as software developers or database administrators from leaking sensitive data accidentally or deliberately. In fact, both the Monetary Authority of Singapore (MAS) and the Hong Kong Monetary Authority (HKMA) have mandated financial institutions to adopt E2EE for protection of passwords as well as critical transaction data in the e-banking sites.

Like many financial institutions, organizations should adopt the same best practices to encrypt the password and sensitive data and send the encrypted data over a communication channel in addition to the SSL protection. This can be done by using an encryption library and key data to encrypt the data at the point of entry (user’s desktop/smartphone) before submission to the server side. This data remains encrypted all the way to the web server and even the application server. The data may be decrypted at the application server. However, in the case of passwords, they remain encrypted and are verified inside a hardware security module (HSM).  

HSMs are cryptographic devices using tamper-resistant hardware built to meet US Federal Information Processing Standards (FIPS) standards. Thus the passwords are encrypted from the point of entry to the point of comparison.  Apart from mitigating Heartbleed vulnerabilities, this ensures that nobody in the intranet has access to the password during transit and storage and protects against internal fraud.

In summary, effective data protection requires a combination of layered security solutions and the right processes. Organizations should not wait for the next web server vulnerability and should look into implementing E2EE solutions at the application layer to protect their confidential information instead of just relying on SSL protection.

Albert Ching is the CEO & CTO of identity, credential and access management solutions provider i-Sprint Innovations, while Tan Jit Kiat is the company’s director of Product Engineering and Priyesh Panchmatia, its director of Solutions.