Google updates its services to stop the bleeding

April 10, 2014

Google Logo AAThe Internet is all abuzz with news of the Heartbleed bug which was discovered in the popular OpenSSL encryption library. For those who haven’t heard, the OpenSSL library had a bug in it which means that a cyber-criminal or a government agency can decrypt all the traffic which was flowing over a supposedly secure connection. Most of us use secure connections when we sign in to Gmail or Google Play etc and send our email address and password to Google for verification. A secure connection is used so that an eavesdropper can’t read our passwords. This isn’t only true of Google services, but all the major services use HTTPS when we sign in or when you perform an online financial transaction.

Google has announced that it has updated the OpenSSL library on its servers (and we presume revoked the certificate keys) for Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. The search giant says that Google Chrome and Chrome OS are not affected.

Heartbleed is particularly severe because the bug has been in the OpenSSL library for two years and if a government agency did discover the bug (and didn’t tell anyone) then all past and future traffic to an exploited website is open for decryption. The reason is that the actual private keys which are associated with a site’s SSL certificate can be read. Once the keys have been read then all traffic to and from the site can be decrypted even traffic that was captured previously and stored away in a deep government archive.

heartbleed

Tumblr has suggested that today might be a good day to “call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking.” The problem with Tumblr’s advice is that until the major services actually give the all clear, like Google has, then changing your password won’t be of any value as your new password can be just as quickly compromised. Only once a service has updated to the latest version of OpenSSL and revoked its certificates can users safely change their passwords!

The ironic thing is that Neel Mehta of Google was actually credited with finding the bug.

A few of Google’s services are still being updated most notable Cloud SQL, which Google says is being patched right now, and Google Compute Engine. In the case of the latter Google says that its customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL.

Google also reported that Android isn’t affected by the bug with the exception of Android 4.1.1. The bug is called Heartbleed as the error is related to the TLS heartbeat extension. Android 4.1.2 disabled the use of the heartbeat functionality for better wpa_supplicant interoperability.

The ironic thing is that Neel Mehta of Google was actually credited with finding the bug, so you would have thought that Google had a head start on fixing the issue and its services should have already been secure before the news hit the net. Maybe Google has become too much of a corporate for that to have happened!

Comments

  • duck hairs

    I hope this is what the NSA use and now that its getting patched they wont be able to monitor people as much :0

    • BenGezarit

      Do you really think that NSA hasn’t found already way to continue the surveillance….

      • duck hairs

        Yes

        • jeff

          I just wasted 10 mins of my time reading the biggest bunch of bullshit I think ive ever heard. Sounds like a schoolchildren fighting over a kickball. JMO!!!!!!!

          • duck hairs

            10 mins? You’re a slow reader, friend.

      • Siphiwe

        Even if they have, 1 inside man from the NSA would break the silence spill the beans then we’ll be safe again! :)

        • BenGezarit

          It’s good to have faith in people.

  • Luka Mlinar

    When asked what could be done Snowden laughed. There’s nothing that can stop the NSA.

    • Miles

      not even a corrupted Space Marines ?

  • KingofPing

    “Maybe Google has become too much of a corporate for that to have happened!”

    …or maybe they wanted to get it out there as quickly as possible so that others could start working on fixes as well.

    • http://www.garysims.co.uk garysims

      Of course Google published its findings immediately and got the information out there as quick as possible. That is very normal and expected in these cases. But Google knew about this bug before anyone else and even though Heartbleed was announced on April 7th and a patch was made available on the same day, Google didn’t announce that it had patched it servers for two more days.

      OK, Google has a boat load of servers and rolling out an update like this takes a long time and I am sure that the system admins worked very hard to get this patched, but Google knew about this before everyone else.

      I just think considering the seriousness of this bug plus they had a head start then two days is a bit slow.

      Having said that I guess there will be other sites which will takes weeks to update and then Google’s response will look like lightning!

      • KingofPing

        So they had it patched…but your problem is that they didn’t announce it was patched?

        *shakes head*

        Well, I could come up with a ton of rationale as to why they waited (testing, and verification the obvious ones), but I doubt it would affect your ire…

        • http://www.garysims.co.uk garysims

          I think you missed the point, they *didn’t* have it patched. Having it patched and delaying the announcement is fine but that isn’t what happened.

          Again I repeat, I understand that Google has an uber amount of servers but they had a head start.

          • KingofPing

            “Google knew about this bug before anyone else and even though Heartbleed was announced on April 7th and a patch was made available on the same day, Google didn’t announce that it had patched it servers for two more days.”

            Did I misread that?

            I assume the timeline described there is:

            Announcement of bug: Apr. 7th

            Google patch: Apr. 7th

            Google announcement of patch: Apr 9th.

            …that’s how it reads to me….

            “I understand that Google has an uber amount of servers but they had a head start.”

            Some people cannot be pleased.

          • http://www.garysims.co.uk garysims

            You are reading it wrong… Here is the same text with some explicit clarifications:

            Google knew about this bug before anyone else and even though Heartbleed was announced on April 7th and an [OpenSSL] patch was made available on the same day, Google didn’t [apply and then] announce that it had patched it servers for two more days.

            The timeline is more like:

            Announcement of bug: Apr. 7th

            OpenSSL patch: Apr. 7th

            Google patch: Apr 9th.

            >> Some people cannot be pleased.

            I have tried to phrase my disappointment at Google’s response time in the nicest terms possible as I do understand the magnitude of the deployment issues. However, Google is asking its customers (from whom it makes billions of dollars) to trust it with all of our data. We have a relationship, I give Google my data and Google needs to protect it. Once Google breaks that trust then it will loose customers. Google could have done a better job in this case.

          • KingofPing

            I’m simply saying, in even simpler terms, that saying “they could have done better” when you have nothing upon which to base that other than blind assumption (that they had enough time and people and resources), is the exact same as saying “nothing but absolute perfection will do.”

            …and we all know how achievable perfection is.

            Don’t see this as me being a dick to you. I’m not. I’m just explaining the logic as I see it being played out here. Fallible logic is something else I think we all know all too well (and find ourselves accepting all too frequently). I’m not slamming you, just trying to expose the logic.

          • http://www.garysims.co.uk garysims

            I appreciate your comments and I don’t think you are being unreasonable. As I pointed out, “there will be other sites which will takes weeks to update and then Google’s response will look like lightning!”

            But I don’t think it is blind assumption on my part. Google has the people and resources. It is the chief custodian of consumer data on the Internet, its future depends on it getting it right. I am not looking for perfection and if Google wasn’t involved in the discovery of this bug then its response time is good. But the point is that Google knew about this before hand, you can be sure that the engineer who found this bug didn’t find it on the 6th and publish on the 7th.

          • KingofPing

            “But the point is that Google knew about this before hand, you can be sure that the engineer who found this bug didn’t find it on the 6th and publish on the 7th.”

            My point in a nutshell: This is something we absolutely do *not* know yet has been assumed as fact. It is one of many such assumptions that end up making the resulting conclusions inherently flawed.

            (…or I just spent way too much time in that class.) *grin*

            How about this:

            It may not be perfection, but as it is the best of our current state it is thus the bar by which perfection must be reasonably judged. (You’re gonna hate that, aren’t you?)

          • http://www.garysims.co.uk garysims

            If our assumptions are blind then of course the conclusions will be inherently flawed. If you put bad data into any model/system then the results will be wrong, no matter how good the model/system is.

            But the point is that since I worked for many years in the industry my assumptions aren’t based on guesses, they are based on my experience. So it isn’t a blind assumption to say that the bug wasn’t found on the 6th and reported on the 7th. My many years of experience tell me something different. At this point my assumptions become blinder. I can’t say for example that the guy found the bug last year and waited four months to publish, no, that would be a blind assumption.

            In other words I have taken a educated guess based on past experience. I am not stating it as a fact but as a reasonable assumption, which is quite different that a blind assumption.

          • KingofPing

            You’re asking us to trust your experience. Somewhat jokingly, I’ll surmise you’re new to the internet?

            If *I* blindly assume your experience is enough to warrant the assumption you’ve made then we’ll have to agree. Otherwise…it’s more blind assumption (just moved off of your plate onto ours).

          • http://www.garysims.co.uk garysims

            Do you want my CV? I have a honors degree in Business Information Systems and I worked for over 10 years as a software engineer for various companies including DEC and Reuters. I was probably compiling code while you were still in diapers, that is assuming you are new to the Internet :-)

          • KingofPing

            I could tell you I’m Bill Gates and have the world’s top dev-monkeys on the phone. :-)

          • http://www.garysims.co.uk garysims

            Fair enough… End of the line I guess.

          • KingofPing

            But no, really – I’m Bill Gates.

            Melinda says, “Hi.”


            (Is there such a thing as too much caffeine? I also just realized I’ve been arguing with the author. Neat-o. Why am I not banned yet?)

          • http://www.garysims.co.uk garysims

            Why would you get banned for engaging in a conversation, isn’t that what the comments section is for?

            Obviously when you started calling yourself Bill Gates I stopped but until then it was mainly a worthwhile thread.

          • KingofPing

            Shows ya what honesty will get ya nowadays. ;-)

            (I’m all better now, honest!)

            Caffeine is supposed to wear off eventually…right?

          • derp

            Omfg you sir are just to funny to read XD.I have used 10 min of my lifetime to read this amazing discussion about who’s right who ain’t andere i have no regrets it’t just to funny to read XD
            *FACEPALM* derp

      • jeff

        Why does it matter. They got the data they wanted.JMO

  • Terry Parker

    So are you implying that Google should have withheld the info until they had a chance to fix their stuff? Think before you put down a company for being responsible.

    • http://www.garysims.co.uk garysims

      That isn’t what I am implying. Please learn to read before write such nonsense.

      • Terry Parker

        I do know how to read very well and after rereading your last paragraph I stand by my comment. No need to insult me please.

        • http://www.garysims.co.uk garysims

          So when I wrote, “so you would have thought that Google had a head start on fixing the issue” you think I was implying that Google should have withheld the information until it had a chance to fix its services. If I read the same text I understand that I was raising a question about Google’s response time considering that it knew about the bug before everyone else. At no point does it imply, infer or suggest that Google should have withheld its findings, only that it should have reacted quicker since it had the information before everyone else.

          If you could point out to me the words that infer that Google should have withheld its findings about the bug I would be much obliged.

          As for insulting you, that wasn’t my intention but I was replying to your comment that I should “think before” which does imply that I didn’t think before I wrote what I did.

          • Terry Parker

            I already pointed it out. I also would point out that my comment implied that you know how to think just chose not to, while you implied that I need to learn to read. Not capable. Just remember, control c copy, control v paste. Just stick with what you know.

          • http://www.garysims.co.uk garysims

            You haven’t pointed it out, you say the whole last paragraph, yet I quoted some of the last paragraph in my previous comment and I would like to know how those words or any others in the last paragraph imply, infer or suggest that I think that Google should have withheld the information about this bug?

            >> Just remember, control c copy, control v paste. Just stick with what you know.

            I have no idea what that is meant to imply.

  • Red Soga

    Thanks to visit my Website: http://WWW.SOGARED.COM, We are China wholesalers!

    Here you can buy lots of merchandise brands! The Secret,Super Good

    High quality,Cheap,and save 30%

    Do not miss the opportunity to surprise waiting for you!

    24 hours for your service! Thank you!

    I HOPE YOU LOVE IT,IF YOU NEED SOMETHING,CAN CONTACT ME DIRECTLY

    Welcome to http://WWW.SOGARED.COM ,Please click http://www.sogared….com 6666

  • Yaritza Miranda

    Led Lampen did it too