Heartbleed

The Internet freaked out about OpenSSL Heartbleed bug last week. XKCD Comic has the best explanation of just what it is; Bruce Schneier as usual has been collecting a metric ton of links on the subject; The Sydney Morning Herald (!) has published a timeline of the disclosure.

Like every person with an internet connection, I too received a string of emails and saw a bunch of blog posts from several services I’d signed up for (and subsequently forgotten about) as they went about fixing their side of Heartbleed. Thought I should follow fashion.

The good news is that your friendly Internet site, this site, is not affected by Heartbleed bug, not in the least because you’ve entrusted your precious secure communication or passwords with me. HCoop members mostly got to sit back and relax because we’re running the stablest, securest, least affected Debian out there. We may have several other problems, but Heartbleed isn’t one of them!

Some good folk have written tools to check for the vulnerability: Jonathan Rudenberg’s heartbleeder is one; Filippo Valsorda’s heartbleed is another.

Here’s heartbleeder checking nonzen.in:

$ sudo apt-get install golang-go
$ mkdir /tmp/go; export GOPATH=/tmp/go
$ go get -u github.com/titanous/heartbleeder
$ /tmp/go/bin/heartbleeder nonzen.in
SECURE(nonzen.in:443) - does not have the heartbeat extension enabled

Alrighty then. Back to my wayward ways.

On Password Managers

Since it’s quite possible that passwords might have leaked, and since opportunities present themselves as problems (right? right?), and since it’s quite likely that we’ll go through the same motions when the next security fiasco happens, I also took the time to investigate some password managers.

These are some that are available in Debian: Keepass, KeepassX, Pass, Assword, and Revelation. None of them really makes me happy. There’s the usual usability problem, and then there’s the problem that none of them quite do what I want them to do.

This is what I want them to do:

Users of Mac OS X, iOS, MS Windows, and Android have their fancy 1Password. Lastpass evidently supports more platforms. I’m sure they’re nice, but in order to start using them, or the earlier mentioned password managers, you have to first know about them. My argument is that everyone deserves better password security than that.

I would like everyday libre software could do password management seamlessly, and that it’s present and available by default. I wish GNOME Seahorse could do all these things in addition to the things it’s already doing: namely, storing security credentials. I wish KDE Wallet Manager and Seahorse could share a common backend, so folk could switch desktop environments whenever they like to and continue to have their passwords around.

(I also wish we all could stop writing security-critical software using programming languages with sharp edges. Maybe I’m wishing for too much?)

(Posted on April 16, 2014.)