I work with the Guardian Project, a group of developers, researchers, advocates, activists and trainers who work on open source mobile security. Even though we actually make security software, including Orbot, the Tor client for Android, we found ourselves affected by the discovery of the Heartbleed bug.
If you haven't been following the news, the Heartbleed bug is a major vulnerability in OpenSSL, the security software used to encrypt Internet traffic. OpenSSL is an encryption standard used by a large percentage of the world's secure websites. It creates a secure connection between you and whatever website or service (like chat or email) you're connecting to and (in practice) should prevent others from listening in on your communications.
The name "Heartbleed" comes from a feature of OpenSSL which periodically sends a signal or "heartbeat" from one end of the secure connection to the server to let the other know they are still on the line and to should keep the link going. An error introduced in late 2011 created a way for this heartbeat function to trick the server into revealing encrypted information along with the "I'm still on the line" heartbeat message.
Leaking credit card numbers or usernames and passwords is bad enough, but what makes Heartbleed particularly dangerous is that it could potentially expose the encryption keys used by the servers to secure all the data it transmits and receives. Someone able to get these keys could not only listen in on the encrypted communication as it happens, but also decrypt past communication.
We used to think intercepting and storing encrypted data in order to figure out a way to decrypt it was pretty unlikely, but news of theNSA's various surveillance programs shows otherwise. Our friends at the EFF argue for the adoption of Perfect Forward Secrecy, which creates a new encryption key each time a new connection is a made. This limits the amount of information vulnerable to interception. Hans-Christoph Steiner, my colleague at the Guardian project wrote a rather prescient post on our blog about Forward Secrecy a couple months ago, and argues that supporting a range of diverse encryption methods would help protect the Internet from future Heartbleed scenarios.
We've been working to help secure the mobile data and communications of people all over the world including human rights defenders, journalists and activists. We hope this is the start of a larger conversation about security, privacy and how people can protect themselves online. If there's an upside to the Heartbleed bug, maybe it’s that it draws attention to the importance of digital security for everyone which in turn helps the people we work with who are most at risk.
Here are a couple of the secure communication tools the Guardian Project develops:
ChatSecure: Private and Secure Messaging
ChatSecure (formerly “Gibberbot”) is a full featured mobile messaging application integrated with the “Off the Record” encrypted chat protocol, that allows you to chat with anyone, anywhere using the XMPP chat standard.
Ostel: Encrypted Phone Calls
A tool for having end-to-end encrypted phone calls. This is a public testbed of the Open Secure Telephony Network (OSTN) project, with the goal of promoting the use of free, open protocols, standards and software, to power end-to-end secure voice communications on mobile devices, as well as with desktop computers.
Are there any tools you're using to stay on top of your digital security?