Fix for Heartbleed bug may slow internet to a crawl

Most sites have closed the back door to hackers with a patch, but it will make browsers sluggish

PUBLISHED : Wednesday, 16 April, 2014, 11:37pm
UPDATED : Thursday, 17 April, 2014, 4:13am


The heartache from the Heartbleed internet flaw is not over, and some experts say the fix may lead to more online disruption and confusion.

The good news is that most sites deemed vulnerable have patched their systems or are in the process of doing so.

The bad news is that web browsers might be overloaded by the overhaul of security certificates, leading to error messages and impacting web performance, said Johannes Ullrich of the SANS Internet Storm Centre.

"A good percentage of the websites are patched," Ullrich said on Tuesday.

The patches enable the web operators to obtain new security certificates that demonstrate they can be trusted by browsers.

But Ullrich noted that for each patch, web browsers must update their list of "untrusted" certificates or "keys" that would be rejected.

"For the fix, the website needs to obtain a new private key and the old key has to be revoked," he said. "Browsers will not trust the old keys."

Browsers generally update dozens of keys on a daily basis, but because of the Heartbleed fix, that number may rise to tens of thousands.

If the verification process took too long, Ullrich said, the browser might simply declare the site invalid or show an error message.

"People will see errors," he said. "They will see an invalid certificate. They can either accept the certificate or consider it invalid."

The big danger is that internet users may become so confused or frustrated that they ignore the warnings or reconfigure their browsers to no longer perform the security check.

"If people turn off those lists, then a hacker could get in," Ullrich said.

The bug is a flaw in the OpenSSL encryption at "https" websites that internet users have been taught to trust.

Warnings have spread in the last week about the Heartbleed flaw, which lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords or encryption keys.

Google said some versions of its Android mobile operating system might be vulnerable.