Google 'selfish' over Heartbleed security bug disclosure

IT security experts are accusing Google of being selfish, putting its corporate interests before global internet users' security, playing favourites, and waiting too long to report the serious Heartbleed security bug to the open-source project whose software contained the critical error.

Google is very selfish in this particular instance. - Professor Willy Susilo, University of Wollongong

Google knew about the Heartbleed encryption flaw on or before March 21 in the US, and withheld it from rivals such as Yahoo, a timeline of events compiled by Fairfax Media reveals.

This has angered many in security circles, who say Google waited too long to tell open-source encryption software OpenSSL, whose software contained the bug and is used by websites globally to encrypt internet traffic. Many of them also say that Google played favourites when it privately told select companies about the bug before OpenSSL.

The security bug, which has impacted on the security of millions of online accounts, resulted in worldwide panic among website owners and users when it was disclosed publicly last week.

Many large sites have since patched against it but have not told users to reset passwords, as has been recommended by many security experts.

The discovery of the bug revealed that many of the "golden padlocks" used by some of the internet's major websites to encrypt traffic were able to picked by hackers. Worse still, the bug left no trace indicating whether criminals had exploited it prior to it being disclosed publicly.

'Responsible disclosure'

Yahoo's online services – such as photo site Flickr, Yahoo Mail and Yahoo web search – were still vulnerable when the flaw was made public by OpenSSL for up to 48 hours, as were many other websites, operating system distributions and device manufacturers.

Those left in the dark before public disclosure include Amazon Web Services, Twitter, Yahoo, Ubuntu, Cisco, Juniper, Pinterest, Tumblr, GoDaddy, Flickr, Minecraft and CERT Australia, just to name a few.

Those who got a heads up before public disclosure include Facebook, content distribution networks Akamai and CloudFlare, and a small number of Linux distributions – such as SuSE and FreeBSD – that responded to an email from Linux distribution Red Hat early on April 7. (A Linux distribution is an operating system built on top of the open-source Linux kernel.) Red Hat was told about Heartbleed late on April 6 in the US thanks to its connections at OpenSSL.

Who knew what and when has raised what is known as the "responsible" disclosure debate in IT security circles, which many security engineers have different views on.

Google notified OpenSSL about the bug on April 1 in the US – at least 11 days after discovering it. Google would not reveal the exact date it found the bug, but logs show it created a patch on March 21, and Google sources say it was found no earlier than March 1.

Google 'unethical'

"I think [the way in which it was disclosed by Google was] quite unethical in my view," said computer science professor Willy Susilo, from the University of Wollongong in NSW.

"Google should have talked to the OpenSSL community first instead of just leaking to ... their friends basically," Professor Susilo said. "As soon as [the Google engineers who discovered the bug] found out that there was an issue – and this was a major issue in my view – they should have immediately told the OpenSSL community but not told the general public.

"Google is very selfish, I must say, in this particular instance."

A Google spokesman declined to reveal who the company told before telling OpenSSL.

"We aren't commenting on when or who was given a heads up," a Google spokesman said. "The security of our users' information is always a top priority," another said.

Google's official disclosure policy, according to a blog post written by Google Security team members Chris Evans and Drew Hintz in May last year, is to notify vendors "immediately" of critical bugs, but only if it sees them being "actively exploited".

Further, the policy says it generally gives vendors 60 days to patch critical vulnerabilities before it makes the vulnerability public for others to protect themselves. For those actively being exploited Google gives seven days.

In Heartbleed's case, it is understood Google did not see the bug being exploited in the wild, although the US Electronic Frontiers Foundation has since come out with information that suggests that in at least one case it may have been exploited since November last year. Bloomberg also reported the NSA knew about it for at least two years, which it has denied.

'Do no evil'

Lani Refiti, branch chairman and spokesperson of the Australian Information Security Association, a representative industry body for IT security professionals, echoed Professor Susilo's concerns.

"It has been reported Neel Mehta [of Google Security] discovered this early i.e. March 21. If that is true, it allowed Google to patch its servers globally. But in 'doing no evil', why did it not notify OpenSSL [immediately]? Google aren't compelled to disclose what they find but as a responsible global citizen of the cyber community I would've expected better," Mr Refiti said.

Mr Refiti said OpenSSL sat on it for too long as well. Waiting until the morning of April 7 in the US to disclose it was "a long time to sit on a vulnerability of this magnitude".

"Responsible disclosure is about ensuring you have factual evidence, have reproduced the bug, have tested any patches that need deploying. But given what we know – and how easy it is to test it – it does seem a long time. It probably points to a broader issue around remediation."

'Perfectly reasonable'

Patrick Gray, an Australian IT security analyst and host of the security podcast Risky Business, has an alternative view.

"I think the Heartbleed disclosure ran about as well as any vulnerability disclosure I've ever seen. The turnaround from discovery to patch was much quicker than average and it was perfectly reasonable of Google to fix its own servers before telling anyone else about it," he said.

Mr Gray believed waiting 11 days or more to disclose the bug was "quick" of Google.

"The bug had been there for two years," he said. "I don't think 11 extra days made a big difference to risks faced by the general public."

'Room for improvement'

Casey Ellis, an Australian who runs bug bounty program BugCrowd, which rewards security engineers for finding flaws in company's websites, said there was room for improvement.

"In Google's case, it would have been irresponsible to their users not to patch their systems," Mr Ellis said. "On the other hand, it would appear that the handling of the vulnerability wasn't 'need to know' prior to its full disclosure to the public, so there's room for improvement there."

Australian IT security researcher Troy Hunt said it would have taken Google a long time patch its servers and maybe this was why it had taken so long to notify OpenSSL.

"It would've been a massive undertaking on their behalf to go through that," Mr Hunt said.

"Last time I heard, and this is going back a couple of years, they have a million servers."

The Heartbleed bug was made public by OpenSSL on April 7 in the US, after a Finnish security testing firm, Codenomicon, reported the same bug as Google via the National Cyber Security Centre Finland (NCSC-FI). It was made public shortly after, as the second discovery by Codenomicon spooked OpenSSL, which thought that hackers might have been exploiting it if two groups knew.

'Bungled horribly'

"This was bungled horribly," a security person, associated with a large Linux distribution who spoke on the condition of anonymity, said. "I'm mystified."

"Google has good security and open-source people ... who know how to handle these sorts of issues, and sitting around for two weeks and then [having Red Hat via OpenSSL] starting to contact [Linux distribution] vendors a few hours before the issue becomes public is neither good practice nor consistent with how Google has handled other issues in the past," the person said.

"I'd say that vulnerabilities in code as widespread as OpenSSL should be disclosed to vendors at least three days, and ideally seven days, prior to anything being announced publicly."

Who told who

OpenSSL's founder and core team member, Mark Cox, said that when Google told it on April 1 about the bug it said it had "notified some infrastructure providers under embargo" about the flaw.

Mr Cox said he did not have the names of those who were told under embargo by Google.

Although it is now known that some Linux distributions were told by Red Hat via OpenSSL, it's unclear who told Facebook, Akamai and CloudFlare about Heartbleed before it became public.

Akamai has been the most transparent, saying someone within the OpenSSL community told it about Heartbleed (it initially said it was "contacted by the OpenSSL team", but later retracted this from its blog after OpenSSL's core team denied it. Akamai now says someone within the "OpenSSL community" informed it). Akamai patched against Heartbleed on April 4.

CloudFlare said it patched its servers on March 31, meaning it likely found out about Heartbleed via someone at Google. Facebook has resisted calls to reveal who told it and when.

Those close to security circles in Silicon Valley have told Fairfax that Facebook and CloudFlare regularly talk to Google's security engineers, and that's how they likely received a heads up.

Pre-notification schemes 'always leak like sieves'

Jussi Eronen, of NCSC-FI, said the Heartbleed bug should have continued to remain a secret in security circles before April 7, and not published publicly when OpenSSL received a second bug report from Codenomicon.

"This would have minimised the exposure to the vulnerability for end users," Mr Eronen said, adding that "many websites would already have patched" by the time it was made public if this procedure was followed.

But he recognised this presented problems, "as extending the communications makes leaks more probable, especially if the participants are not used to dealing with vulnerability pre-notifications". Despite this, Mr Eronen said it would have been helpful to tell vendors that something major was about to happen on April 7, and that they should be prepared for it.

Risky Business' Gray echoed Eronen's concerns about pre-notification systems and their flaws.

"Groups that receive advance notification of problems like this always leak like sieves," Mr Gray said. "Microsoft even had problems with its [Microsoft Active Protections Program] leaking a couple of years ago. If you're sitting on a bug like this, the only people you should talk to about it are people who you absolutely trust to keep their mouths shut."

He said the best sharing networks in information security were informal, private, and built heavily on trust.

"I'm not talking about trust between two companies that might be partners, I'm talking about personal trust. I know Bob and Alice, they're solid and I can give them a heads up on this and it won't leak. That sort of thing," Mr Gray said.

'Google deserves credit'

Gary Stock, a former special projects cryptanalyst at the NSA who is now chief executive ofNexcerpt, a news briefing service, said he could not fault Google and OpenSSL.

"Given the complexity of this ecosystem, I would say Google and most others did as well as human nature could permit," he said. "Google appears not to have gone out of its way to capitalise on the issue, as some other players did. Google deserves credit for such restraint."

Future Heartbleed prevention

Asked how OpenSSL would make sure something like Heartbleed didn't happen in the future, OpenSSL core team member Ben Laurie, who just happens to work at Google, said no promises could be made.

"No one knows how to write completely secure code," he said, speaking on behalf of OpenSSL.

"However, a better job could be done of reducing the risk. For example, code audit, more review of changes. These things take more manpower, which can either come from donated time or donated money."

Smartphone
Tablet - Narrow
Tablet - Wide
Desktop