Programming, Thoughts

Heartbleed Bug & Conspiracy Theory

So for those of you who don't know, the heartbleed bug was recently exposed as a direct vulnerability in the OpenSSL library. SSL is the handshake technology which allows all websites to 'secure' their transfer of information via HTTPS. Ever see that green lock at the top of your URL bar?? Yeah, that means it's a secure connection.

Well the shitty part is that SSL connections are used in every single private technologies in our everyday life. This includes (but not limited to): email (Gmail), instant messaging services (Facebook), credit cards (Amazon/PayPal).. basically the entire web. What we thought was 'secure', really was vulnerable all along. (Here's a list of the top 10000 websites which are still vulnerable)

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

Sounds like a lot of technical mumbo-jumbo, but in essence, the Heartbleed bug allows any attacker/anywhere to access all the information from these 'secure' servers without anyone ever knowing anything was touched/accessed/tainted. Your passwords -- vulnerable; your emails -- vulnerable; your messages -- vulnerable; your ENTIRE IDENTITY -- vulnerable. Want to see how easy it is? Look here

You want to know what's the absolutely scariest part of this bug? Here's a short excerpt from BBC:

Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.

Did you guys read that correctly? Read it again.. This vulnerability has been out for MORE THAN TWO FUCKING YEARS. Can anyone say conspiracy theory????

(More technical portion here) Essentially, the way SSL works is through certificate authorities (CA's) which are Queen Certificates -- these queens determine which sites/certificates are deemed secure (HTTPS). Why does this suck? Because the whole security of the systems and web is based off these Queens. Let's take a look (taken from here):

Queens

  • Symantec (Verisign, Thawte, Geotrust) - 38.1%
  • Comodo - 29.1%
  • GoDaddy - 13.4%
  • GlobalSign - 10%
  • Others - 9.4%

This is absolutely fucking retarded because 4 companies control 90% of the internet's secrets. Who the hell trusts 4 companies with 90% of all of your secrets???!!!!

Which brings me back to the conspiracy theory here. For 2+ years, the NSA/Government could have known about this bug within OpenSSL and easily exploited it to retrieve not one, but ALL OF YOUR INFORMATION without any of the consent of the larger corporations Google/Facebook/Amazon just to name a few. Remember that PRISM scheme in which every single large company released very similar statements to plug their butts from leaking??

Well guess what. There's been a fucking IV inserted directly in their heart, in which not only the USA, but any human being in the world can peek at your DNA. Heartbleed & NSA. You win.

PRISM: Please Remember I'm a Slave Mind.

Standard