The Heartbleed bug dilemma: Disclosing a web problem also means alerting hackers

The Heartbleed software bug is not only one of the most serious online security breaches in recent memory, it has also demonstrated how difficult it is for websites to tell their customers whether they’re at risk or not.

The Heartbleed revelation "happened very rapidly, and it happened on such a big scale, that some sites have handled it better than others," says Eric Skinner, vice-president of market strategy for the Tokyo-based internet security firm Trend Micro.

"This is a classic problem with computer security vulnerabilities, which is: When do you disclose? How do you disclose?" he says. "Because when you disclose, you’re obviously giving people an opportunity to fix the problem, but you’re also providing hackers with an opportunity to exploit the problem."

The Heartbleed bug was revealed on April 7 by Google and Finnish security firm Codenomicon, and affects OpenSSL, a software program used to encrypt Internet communications. It has been estimated that two-thirds of web servers were vulnerable.

In a blog post about the significance of the bug, noted cryptography expert Bruce Schneier wrote: "On the scale of 1 to 10, this is an 11."

Security researchers say the breach allows hackers to access small bits of information at a time that could lead to personal and financial information stored on a website and steal that without leaving a trace. The Heartbleed breach is particularly risky for sites that handle e-commerce or personal information, including passwords.

While the Canadian Bankers Association released a statement saying Heartbleed did not affect Canadian banking sites, the website of the Canadian Revenue Agency (CRA) was compromised. CRA has announced that it may not accept online tax filings until the weekend.

In the wake of the Heartbleed discovery, there has been confusion among consumers about what they should be doing, including whether they should be altering their passwords.

A lot of the confusion arises from the fact that not all sites have been equally transparent about the breach, says Skinner.

Stu Sjouwerman, president and founder of the U.S. anti-virus firm KnowBe4.com, believes many smaller website operators haven’t even got the security apparatus to fully assess the problem.

"Most small businesses have no idea what this is all about," Sjouwerman says. They’re largely in the dark about the more technical aspects of the internet, and as a result "most of them have said nothing" to their customers.

As for higher-traffic sites, the response has varied. According to a list compiled by Mashable.com, Amazon said it wasn’t affected by the breach, while AOL said it was not running that version of the OpenSSL software. It took Apple almost three days before issuing a statement Thursday that none of its mobile, desktop or web services would be affected by the Heartbleed bug.

Part of the problem in determining what might be affected is that Heartbleed enables a hacker to sneak in and access data without leaving a trail. So it’s hard to figure out whether a site has been compromised, says David Fewer, director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

"The nature of the vulnerability here is you don’t know if there’s a breach or not," he says.

Fewer says some larger sites, such as Facebook and cloud services provider Akamai Technologies, were at an advantage because they received advance notice about Heartbleed from Open SSL Foundation — the group that developed the open-source version of SSL — before the problem was made public.

Google, for example, made its statement after patching its vulnerabilities. In a statement released Apr. 9, Google said, “We fixed this bug early and Google users do not need to change their passwords.”

Sjouwerman says that every company has its own policy when it comes to disclosing data breaches. "There is no internet etiquette related to these types of incidents."

The Canadian government, however, is in the process of introducing a bill that would levy heavy fines on companies that do not report data breaches.

Fewer says that the way the “breach protocol” usually works is that the security researcher who found the vulnerability notifies the affected company so it has an opportunity to find a safeguard before telling its customers.

"So you don’t just come [to your customers] with a problem, you come with a solution," he says. "And also, so you don’t tip your hand to the bad guys."

The problem with Heartbleed, however, was that it was a widespread vulnerability, and Fewer says getting all of the affected sites to work in concert is near impossible.

"You can’t realistically coordinate all these vendors and sites to update their software before the disclosure," he says. In this instance, broad disclosure was appropriate, "but that does unfortunately create a window of vulnerability. But it’s the only way to get all the sites to do something about it."

David Lewis, a global security advocate for Akamai Technologies, believes that being up front with consumers is always the best policy.

It’s "in the best interest of that company to get ahead of the spin and talk to their customers and say, ‘This is what happened, this is how we’re fixing it, and this is why it won’t be a problem next time’ – or why there won’t be a next time," he says.

"It just fosters a good relationship with the customer base."