The Upside of Heartbleed: SAML-based SSO to Manage Passwords

The Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7. ‘Catastrophic’ is the right word,” wrote Internet security expert Bruce Schneier on his blog. “On the scale of 1 to 10, this is an 11.” That intensity of reaction is not surprising given estimates that around half a million of the Internet’s secure web servers (some 17 percent) were believed to be vulnerable to attack due to Heartbleed, in addition to countless embedded devices such as firewalls and routers.

The Heartbleed vulnerability was created in December 2011 when flawed code was introduced into OpenSSL’s source code repository (yet another length check missing) and passed into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. OpenSSL is an open-source implementation of the SSL and TLS security protocols. Critically, support for the Heartbeat feature that contained the flawed code was enabled by default – thereby making all sites that upgraded to the new version of OpenSSL immediately vulnerable.

An avalanche of media coverage means anyone affected has likely heard of the problem. Does that mean Heartbleed is yesterday’s story? Absolutely not. Heartbleed remains very much a live issue and one that will not be fixed quickly. The great challenge of addressing the Heartbleed vulnerability is that it requires a three-fold fix.

First, organizations that have deployed the flawed version of OpenSSL must replace it with the revised version released in March.

Second, affected organizations need to re-issue their SSL Certificate and revoke the one they have been using.

Third, they need to inform their customers that Heartbleed remediation has occurred and advise them to update their passwords as soon as possible. Until they do so, their customers remain vulnerable. Any users who changed their password before step two occurred must do it again.

With all this however there is an upside to Heartbleed. It has shone a spotlight on the dirty secret of Internet security – the impoverished state of password management.

We use passwords to secure every aspect of our online lives, from configuring our broadband routers for Internet access to online banking and e-commerce purchases.  The problem is that for a password to stay effective, it must pass three simple tests:

  1. It must be unique, not the same password used across different accounts.
  2. It must be changed regularly, ideally once every three months or even more frequently.
  3. It must be longer than eight characters and contain letters, numbers, symbols and CAPITALS  – and it should not contain any actual word from any spoken language forward or reverse or it will be guessed easily by cracking software.

Password generators do a great job of this – but they create passwords that are so random they can be impossible to remember.

The only practical way is to construct phrase-based passwords.  For example, “There is an upside to Heartbleed” can become the password “Tiau2hB?”. While this is fine for perhaps a handful of passwords, most people have passwords to many websites these days.  The reality is that people take shortcuts and, as a result, most Internet passwords fail at least one, if not all of these tests.

In October last year, Adobe revealed that hackers had accessed customer databases containing the details of some three million of its users.  Within weeks, Adobe was forced to acknowledge that 38 million active users were impacted by the hack after a 3.8GB file containing more than 150 million usernames/passwords was dumped on the net.  Analysis of the dumped Adobe customer file revealed some mind-numbingly simple passwords including: 123456; password; adobe123; qwerty; 111111; photoshop; 0; abc123; iloveyou; aaaaaa; 666666; sunshine; letmein; welcome; and, of course, chocolate.

The lesson is that people are the biggest obstacle to maintaining good password practice.

Password Managers in web browsers or third party tools like KeePas, LastPass, 1Password and Apple’s Keychain help, but they do not get around the problem that the owner of 100 web accounts should change each one four times a year – that’s more than one a day – never using the same one twice.

Who has time for that?

Clearly, one password per website is simply not feasible no matter which managers, generators or “shock horror” plain text word documents people might employ. The only and obvious solution is to get rid of most passwords.  And the fact is that we’ve known how to do this for a long time.

Using Single Sign-On type technologies such as SAML, openId or oAuth enables users to vastly reduce the number of passwords they need to manage.

SAML (Security Assertion Markup Language) is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Secure SAML-based Single Sign-On means users enter passwords less frequently – perhaps just once a day – so keyboard loggers and other forms of attack, both on the client as well as server end, (namely Heartbleed) become less effective – or at least vastly more difficult to exploit on a large scale.

Centrify’s Direct Access for SaaS provides Single Sign-On identity management for web applications for a large range of devices and operating systems, from desktop and notebooks computers to smartphones and tablets.  Centrify’s approach allows you to leverage your on-premise Active Directory (or a Cloud directory) to provide Single Sign-On to enterprise cloud-based applications. It also provides a password vault for those recalcitrant sites that have not yet implemented SAML or similar technologies.

The upshot is that users need to recall only one password to access almost all online resources – with second-factor authentication for those sites and circumstances where one needs to be doubly sure, such those controlling your finances or private corporate information.  In addition, by combining what you know (your password) with what you have (your registered device), these federated services can use device-attestation to provide more flexible and stronger authentication.

The upside of Heartbleed then is that it has hurt enough users and particularly enterprises sufficiently that they will actively consider password alternatives. Also, they will no longer accept out-dated security mantras such as “just pick a safe password and change it frequently” when it clearly does not work or scale.

The enduring lesson of Heartbleed is that users and enterprises should no longer regard SAML as just a nice to have feature – but as a business critical requirement for any website they intend staff to interact with.

The websites of the world have been put on notice.  Get behind certificate-based authentication, or you will risk losing your customers – with extreme prejudice!

So if the enduring impact of Heartbleed is to prioritize the widespread adoption of SAML-based authentication, then the payoff will be worth the pain.