““Heartbleed” Follow-ups: Web slowdown coming? Plus: Your Hand as a Credit Card”
Introduction
It’s no secret that news on the internet commerce / security / hack & bug front is “breaking” more fast and furiously than we’d like it to. But we’re determined to keep your web security updates so the surprises you have to plan for can be… a wee bit less surprising.
The LaCie Breach
We’ll get to “Heartbleed” in a moment, but also know that Krebs on Security has just reported a year-long breach in the LaCie company website, where customer information could have been exposed. LaCie makes hard drives and data storage units, and if your company bought anything from them between March of 2013 and 2014, you may want to doublecheck your accounts.
Heartbleed Update
When it comes to the extensive “Heartbleed” issue, the news is quite like a roller coaster. Initially, there was a belief that it might not be as severe as anticipated because private security keys couldn’t be obtained through the “flaw.”
Private Keys at Risk
However, after a hacker challenge was initiated, this notion was proven wrong: Those private keys were discovered and disclosed. Regrettably, this implies that hackers could potentially replicate a website in an attempt to trick people into logging in and revealing their private financial data.
Security Advisory
With everyone so wary, the Federal government, as reported on the American Banker site, issued an advisory to financial institutions — though many reported they were already safe (since they weren’t using OpenSSL, the protocol with the vulnerability) — saying “”Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch.”
Certificate Revocation
And large, non-finance companies, like Amazon and Google, etc., were busy patching any potential leaks. But that very rush to patch, with updated certificates, may come with a certain cost. The Washington Post’s “Switch” column reports the following:
According to experts, the subsequent action required involves all 500,000 impacted websites, spanning from small local businesses to large corporations, revoking their security certificates and issuing new ones.
Web Performance Impact
But as necessary as that process is, it could have dramatic consequences for Web users’ everyday experiences.
When you access a secure website, your browser verifies the website’s security certificate by comparing it to a list of invalidated certificates. Depending on its configuration, your browser will likely download this list to your computer. Since websites infrequently update their certificates, these lists are typically concise.
“But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files,” which could gum up “cruising speeds,” or certainly “user speeds,” on the internet, quite a bit.
In any case, it will require some time to resolve, and vigilance is necessary – as it often is.
When you reach out to your AVPS Rep, make sure to keep all your security options up to date. Additionally, ensure that your customers, who might soon face online impatience, can access as many payment alternatives for your business as possible.
Conclusion
Meanwhile, we leave you with some potentially better news: “a Swedish student at Lund University has devised a way to pay for goods using a vein map of your hand,” according to the BetaBeat website.
“Fredrik Leifland’s system uses vein-scanning technology that already existed… He merely connected the scanning terminals, banks, stores and customers to create a new system.”
Upwards of 15 stores near the campus are using the technology already. We will assume that the veins in your hand remain, at this point in time, unhackable. (At least until they perfect the whole “replicant” thing). So: Take good care of them, and we’ll see you with another week’s worth of news soon.