Heartbleed

The Internet freaked out about OpenSSL Heartbleed bug last week. XKCD Comic has the best explanation of just what it is; Bruce Schneier as usual has been collecting a metric ton of links on the subject; The Sydney Morning Herald (!) has published a timeline of the disclosure.

Like every person with an internet connection, I too received a string of emails and saw a bunch of blog posts from several services I'd signed up for (and subsequently forgotten about) as they went about fixing their side of Heartbleed. Thought I should follow fashion.

The good news is that your friendly Internet site, this site, is not affected by Heartbleed bug, not in the least because you've entrusted your precious secure communication or passwords with me. HCoop members mostly got to sit back and relax because we're running the stablest, securest, least affected Debian out there. We may have several other problems, but Heartbleed isn't one of them!

Some good folk have written tools to check for the vulnerability: Jonathan Rudenberg's heartbleeder is one; Filippo Valsorda's heartbleed is another.

Here's heartbleeder checking nonzen.in:

$ sudo apt-get install golang-go
$ mkdir /tmp/go; export GOPATH=/tmp/go
$ go get -u github.com/titanous/heartbleeder
$ /tmp/go/bin/heartbleeder nonzen.in
SECURE(nonzen.in:443) - does not have the heartbeat extension enabled

Alrighty then. Back to my wayward ways.

On Password Managers

Since it's quite possible that passwords might have leaked, and since opportunities present themselves as problems (right? right?), and since it's quite likely that we'll go through the same motions when the next security fiasco happens, I also took the time to investigate some password managers.

These are some that are available in Debian: Keepass, KeepassX, Pass, Assword, and Revelation. None of them really makes me happy. There's the usual usability problem, and then there's the problem that none of them quite do what I want them to do.

This is what I want them to do:

  • Generate passwords, and associate them with the appropriate services. Except in special cases, I should never have to create, or remember, a password myself.
  • Integrate well with web browsers. Autofill forms, remember addresses, remember credit cards, those kind of things.
  • Synchronize, in a secure and convenient manner, with my pocket surveillance device pocket computer phone and other computers I might have.
  • Not have a confusing UI.
  • The next time I will have to change passwords Internet-wide, I should be able to regenerate and resync passwords at the push of a button. Of course this is quite hard to do in the absence of a universally adopted identity and account management protocol, but hey, can't a man have some wishes?

Users of Mac OS X, iOS, MS Windows, and Android have their fancy 1Password. Lastpass evidently supports more platforms. I'm sure they're nice, but in order to start using them, or the earlier mentioned password managers, you have to first know about them. My argument is that everyone deserves better password security than that.

I would like everyday libre software could do password management seamlessly, and that it's present and available by default. I wish GNOME Seahorse could do all these things in addition to the things it's already doing: namely, storing security credentials. I wish KDE Wallet Manager and Seahorse could share a common backend, so folk could switch desktop environments whenever they like to and continue to have their passwords around.

(I also wish we all could stop writing security-critical software using programming languages with sharp edges. Maybe I'm wishing for too much?)

(Posted on 16 April 2014.)