On 07 April 2014 a very serious OpenSSL bug with the colourful name ‘Heartbleed‘ was disclosed. You can read more about this bug here, here and on the blog of the Chuck Norris of cryptography, Bruce Schneier. You can check here if your website or a service you’re using is affected by this bug.
Suffice it to say that the consequences are as severe as can be for most of the core services of the Internet. GitHub, Google, Facebook, Dropbox, Evernote, Tumblr, to name but a few. Most of those services we love to use everyday are affected by this bug meaning that you have to change each and every one of your passwords and API keys for these services as soon as possible. You’re lucky if you’ve already been using a password management tool such as 1Password or LastPass because this likely means you already have distinct, automatically generated passwords for each website.
Nevertheless, I feel like I have been doing nothing but changing passwords and cycling API keys the last few days (and more to come). Changing passwords manually for numerous websites and – where possible – enabling 2-factor authentication for extra security is a bloody hassle, to say the least.
This is why I had the following idea: Why can’t we have a new protocol that deals with this stuff automatically? Websites could offer an endpoint that allows password management tools to periodically check if there was a security breach or – as in this case – a security hole in the software infrastructure and automatically negotiate security settings and update passwords accordingly. This certainly is just a rough description but I hope you get the idea. Actually implementing and promoting such a protocol would require both serious engineering effort and widespread adoption by websites and important Internet services.
Nonetheless, I think the benefit of such a solution would be huge both in terms of time saved and as to improving the overall security on the Web. So, 1Password and LastPass: If you’re reading this please feel free to steal this idea!