Just like privacy, is it time to assume that security is dead? Photo: Reuters
Hot on the heels of Heartbleed, a 10 year-old OpenSSL flaw has emerge letting hackers intercept supposedly secure traffic.
For years we've been taught that the presence of the SSL encryption padlock is enough to assure us that we're safe online, but clearly it's not. In the last few months we've seen a bug in the way Apple gadgets authenticate secure websites, followed by the Heartbleed flaw which shook online security to its foundations and left many of the web's biggest names open to attack. It's difficult to overstate their severity.
As if that wasn't enough to shake your faith in online security, now the OpenSSL Foundation has unveiled details of a decade-old flaw which lets hackers intercept supposedly secure traffic passing through public wi-fi hotspots. Only this week I questioned the wisdom of using public wi-fi rather than mobile broadband, but I was accused of scaremongering by some who felt that SSL encryption keeps you safe no matter what. This clearly is not the case, and services which rely on OpenSSL security have been vulnerable to this bug for a decade via man-in-the-middle attacks.
It's important to note that none of these security flaws actually involve cracking OpenSSL encryption, they simply involve ways of bypassing it. It's like knowing that your front door's deadlock is tamper-proof, but not realising that you've left open a window. Regardless of your faith in encryption algorithms, we have to concede that more windows have been left open in OpenSSL than anyone suspected.
It's easy to take this latest security breach as an excuse to bash the open source concept, but it's naive to think that proprietary SSL encryption platforms are somehow immune to flaws. The fact of the matter is that nothing is foolproof. If fundamental flaws in one of the world's most widely used encryption systems can go undiscovered for years, what other bugs are still lurking in the shadows in OpenSSL and other SSL systems? Who already knows about them but has chosen to keep quiet?
After Heartbleed the web giants which rely on OpenSSL have promised to commit more resources to the project, but the last few months have shown that you can never assume that online security is actually secure.
Just like privacy, is it time to assume that security is dead? How do you stay safe online?
Read more posts from Adam Turner's Gadgets on the Go blog.