The Washington Post reported today that the necessity to replace a key security credentials on at least 500,000 websites worldwide because of the Heartbleed bug was likely to result in Internet slowdowns over the next few days.
It turns out the Heartbleed bug makes it possible to steal not just passwords, but also the security certificates that verify that a website is authentic. While it was first thought that that websites impacted by the Heartbleed flaw would just have to change passwords, it now turns out they must revoke their current security certificate and get a new one to assure network security. This is likely to lead to Internet congestion over the next few days.
Details on Heartbleed bug
The Heartbleed bug puts the usernames and passwords of millions of people at risk. Not publicly disclosed for more than two years, Heartbleed creates a gap in OpenSSL, an encryption technology used by nearly all businesses. According to computer security analysts, the bug impacted 65-70% of the websites on the Internet. Public warnings about the Heartbleed bug prompted thousands of consumers to change their passwords on Google, Yahoo, Facebook and other websites.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” explained Jason Healey, a cybersecurity expert at the Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
Revoking and replacing security certificates
According to cybersecurity analysts, all 500,000 affected sites — from small businesses to multinationals — will need to revoke their security certificates and issue a new certificate. This process is, unfortunately, likely to lead to an Internet slowdown.
When you go to a secure website, your browser automatically compares the security certificate of the website against a list of revoked certificates. The revoked list is typically just a handful of names, but because of the need to fix the Heartbleed flaw, the list is very likely going to include thousands of names over the next few days. That means browsers will have to deal with the now-massive files and confirming a site’s identity will probably take much longer.
“If a certificate authority has to revoke 10,000 certificates, that entry will have 10,000 certificates on it,” according to security consultant Paul Mutton of Netcraft. “And if browsers have to download that we’re talking hundreds of megabytes.” Just how long the security certificate process will take depends on the individual system and network, but many users are likely to experience at least some delay.