The "Goto Fail" and "Heartbleed" Bugs

Lessons from 2014 Still Relevant Today

Introduction

Many users and business managers pay little attention to security alerts in the IT world, even those that make the news, because they figure their computers automatically download and install fixes to new security flaws, run endpoint security (anti-virus) software, and make frequent backups of data. But if the extra hype back in 2014 made you think the so-called Goto Fail and Heartbleed bugs might be truly serious, you were right. Goto Fail enables easy treachery if you're targeted while using an unpatched MacBook, while Heartbleed can expose the private information of users of a vulnerable web server. Both could expose passwords, leading to greater infiltration, unauthorized money transfers, or worse. Although fixes became available years ago, this spectacular episode continues to teach two important lessons:

1. How a simple programming error by one guy can potentially undermine the entire security apparatus that protects all the sensitive information you might transmit or store on an affected website. Severe vulnerabilities can and will happen again. And we did see another pair of major flaws in 2018, this time in hardware that was designed, reviewed, and quality tested by the world's standard-setting hardware manufacturer. You'll find a link to our article on the 2018 episode at the bottom of Part 4 of this article.
2. The importance of having a vulnerability management program at the very least, and, ideally, a full information security program. Heartbleed affects servers, which don't automatically update as do Windows or Mac workstations. So if you have any kind of servers, on-premises or in the cloud, and you're not sure that all software that could be affected by Heartbleed has been patched with the fix, your servers may remain vulnerable.

This article is for the technically-inclined, and focuses on the real-world effect of these bugs, explaining why they were called the worst security flaws in Internet history, as well as how to fix them if you haven't already. If you're an executive manager and would like to learn about implementing a vulnerability management or information security program right away, visit the J.D. Fox Exec website. Otherwise, let's continue by starting with the basics of what these bugs entail.

Both bugs introduced breaches into the common security system used by websites and mail servers to keep your passwords, e-mails, and data safe from eavesdropping in transit. Secure websites and all mail servers use a procedure called SSL to prove that the server you're communicating with is the one you think it is. SSL also enables your computer to send your password, and all other information, encrypted in such a way that only that server can decrypt it, and vice-versa. This happens transparently; if you see the https:// prefix in a website's address, or select the SSL or TLS checkbox when setting up your e-mail, then your computer will use SSL.

This all relies on the absolute secrecy of a tremendously long and unguessable string of numbers called a private key, generated by each server for itself and never transmitted. Even though the private key never leaves the server and is unknown to your computer, your computer can always tell whether any given server has the correct private key, and can use it to create a unique and secret encryption key for sending information to that server. How that works is beyond the scope of this article, but it's a fascinating feat of mathematical wizardry if you want to delve into it. It's also amazingly secure; the authentication mechanism is virtually impossible to break through clever technological trickery or brute force.

Goto Fail and Heartbleed are programming errors that compromised the integrity of these server private keys. As you can imagine, when this happens, the entire SSL system can be rendered useless—or worse than useless, if it's insecure and you don't realize it. So, let's see how these bugs did it.