The "Goto Fail" and "Heartbleed" Bugs
Why they were called the worst security flaws in Internet history, and what you should do about it
Another week, another security alert, right? Most of us have grown nearly oblivious to these because we know our computers automatically download and install fixes to new security flaws, run anti-virus software, and make frequent backups of our data. But, if the extra hype in the news back in early 2014 made you think the so-called Goto Fail and Heartbleed bugs might be truly serious, you were right. Goto Fail enables easy treachery if you're targeted, and Heartbleed makes Goto Fail seem like child's play. Although both were fixed long ago, this episode represents how a simple programming error by one guy can potentially undermine the entire security apparatus that protects all the sensitive information you might transmit or store on an affected website.
This article focuses on the real-world effect of these bugs, as well as how to fix them if you haven't already. So let's start with the basics of what these bugs entail.
Both bugs introduced breaches into the common security system used by websites and mail servers to keep your passwords, e-mails, and data safe from eavesdropping in transit. Secure websites and all mail servers use a procedure called SSL to prove that the server you're communicating with is the one you think it is. SSL also enables your computer to send your password, and all other information, encrypted in such a way that only that server can decrypt it, and vice-versa. This happens transparently; if you see the https:// prefix in a website's address, or select the SSL or TLS checkbox when setting up your e-mail, then your computer will use SSL.
This all relies on the absolute secrecy of a tremendously long and unguessable string of numbers called a private key, generated by each server for itself and never transmitted. Even though the private key never leaves the server and is unknown to your computer, your computer can always tell whether any given server has the correct private key, and can use it to create a unique and secret encryption key for sending information to that server. How it all works is a fascinating feat of mathematical wizardry, and quite complex if you want to delve into it. It's also amazingly secure; the authentication mechanism is virtually impossible to break through clever technological trickery or brute force.
Goto Fail and Heartbleed are programming errors that compromised the integrity of these server private keys. As you can imagine, when this happens, the entire SSL system can be rendered useless—or worse than useless, if it's unsecure and you don't realize it. So, let's see how these bugs did it.