Three major vulnerabilities rocked the world of Internet security this year, including two high-profile bugs that jeopardized the security of HTTPS encryption itself. These vulnerabilities may have each cost sysadmins around the world some sleepless nights, but they also reinforced the idea that best security practices can protect users even where the software has bugs.
Heartbleed: In April, two teams of researchers disclosed an issue with the way the popular OpenSSL software implemented an extension called a "heartbeat." Normally, a heartbeat allows you to make sure a server is still online, by asking it to respond at a regular interval. But OpenSSL could be tricked into responding with more information than it had been asked for directly, which could lead to the server disclosing the data it held (or even, as it turned out, its keys).
Unfortunately, this kind of simple programming error happens—and it can go unobserved for a while, even in open source software. As we said in April, there's an important mitigation that could protect users from some of the worst fallout of bugs like Heartbleed: forward secrecy. Without forward secrecy, communications that were intercepted at any point are vulnerable to decryption if the key is ever compromised—through a bug like Heartbleed, or any other way. But with forward secrecy enabled, past messages are safe, and sysadmins can protect future messages by creating a new key.
Shellshock: In September, a serious bug in the widely used Unix Bash shell was identified, which enabled environment variables to execute arbitrary commands on the affected machines. In addition to being significant as a security problem, it was also notable for its longevity: versions of the vulnerability date back to Bash releases from 1989.
POODLE: Finally, in December, a research team disclosed an attack named POODLE, short for "Padding Oracle On Downgraded Legacy Encryption." In short, it took advantage of the fact that, in order to maximize the chances of finding one in common, browsers and servers often support a wide variety of encryption standards—some of which date back years, or even decades. POODLE describes a way to convince browsers and servers to use one of the oldest such standards, SSL 3.0, where the researchers had found a vulnerability.
The easiest fix for this vulnerability is simply to disable SSL 3.0, as many browsers have begun to do (and which our browser extension HTTPS Everywhere does, where possible). POODLE serves as a reminder that security it only as strong as its weakest link—and we must keep that in mind when designing and maintaining security systems.
With all eyes on our security tools, it seems likely that problems will continue to get discovered in 2015 and beyond. But with Internet users increasingly signaling that privacy and security are a priority, we trust they continue to get the serious resources and fixes they deserve.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2014. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.