Heartbleed repairs threaten to cripple the internet

The internet could slow to a crawl as companies scramble to fix the Heartbleed bug, security experts warn

Security experts have warned that the Heartbleed bug could slow the internet to a crawl as companies scramble to fix the security vulnerability in some versions of the OpenSSL encryption library.

Simultaneous efforts by companies to fix hundreds of thousands of websites threaten to cause major disruptions to the internet in the coming weeks, reports the Washington Post.

The most obvious way to fix the vulnerability is to update to the latest version of OpenSSL, but that is not enough in light of the fact that the flaw would have enabled attackers to steal encryption keys.

This means sites could still be vulnerable unless they revoke their security certificates and issue new ones because the encryption keys could have been stolen at any time in the past two years.

Although researchers reported the bug in April 2014 after OpenSSL was patched, the vulnerability was introduced through a coding error in December 2011.

Attackers who retrieved private keys from a server while it was still vulnerable would be able to impersonate the server by creating their own valid SSL certificate.

An attacker could still do this after the affected website has upgraded to the latest version of OpenSSL and deployed a new SSL certificate with different keys.

“Unless the previous certificate is revoked, the site will still be vulnerable to man-in-the-middle attacks,” internet security firm Netcraft warned in blog post.

But with around 500,000 sites believed to have been using vulnerable versions of OpenSSL, the process of revoking and reissuing security certificates could slow browsing experiences dramatically.

When browsers visit a secure site they download a list of revoked certificates, which has relatively little impact because this list is usually short.

But with hundreds of thousands of sites potentially updating their certificates in the coming weeks, browsers could be faced with extremely long lists to download, potentially slowing browsing to a crawl.

According to Netcraft, if a certificate authority has to revoke 10,000 certificates, the revocation list will have 10,000 certificates on it, resulting in a download that is hundreds of megabytes.

The most critical websites belonging to banks and governments were not vulnerable to the Heartbleed bug and most of the prominent ones that were affected have completed the process.

But so far only 80,000 certificates have been revoked, said Netcraft, which means there are about 420,000 still to go.

Certificate revocation has always been a bottleneck since SSL was invented, according to Mark Manulis, a senior lecturer at the University of Surrey's computing department.

If Heartbleed leads to large-scale revocations, that could cause problems, he told the BBC, as not all browsers downloaded lists and there are potentially hundreds of certification authorities to contact.

"Each browser would have to contact each of those authorities and download the lists because those lists are not shared," said Manulis.

Read more on IT risk management