Three Vulnerabilities That Rocked the Online Security World: 2014 in Review

Three major vulnerabilities rocked the world of Internet security this year, including two high-profile bugs that jeopardized the security of HTTPS encryption itself. These vulnerabilities may have each cost sysadmins around the world some sleepless nights, but they also reinforced the idea that best security practices can protect users even where the software has bugs.

Heartbleed: In April, two teams of researchers disclosed an issue with the way the popular OpenSSL software implemented an extension called a "heartbeat." Normally, a heartbeat allows you to make sure a server is still online, by asking it to respond at a regular interval. But OpenSSL could be tricked into responding with more information than it had been asked for directly, which could lead to the server disclosing the data it held (or even, as it turned out, its keys).

Unfortunately, this kind of simple programming error happens—and it can go unobserved for a while, even in open source software. As we said in April, there's an important mitigation that could protect users from some of the worst fallout of bugs like Heartbleed: forward secrecy. Without forward secrecy, communications that were intercepted at any point are vulnerable to decryption if the key is ever compromised—through a bug like Heartbleed, or any other way. But with forward secrecy enabled, past messages are safe, and sysadmins can protect future messages by creating a new key.

Shellshock: In September, a serious bug in the widely used Unix Bash shell was identified, which enabled environment variables to execute arbitrary commands on the affected machines. In addition to being significant as a security problem, it was also notable for its longevity: versions of the vulnerability date back to Bash releases from 1989.

POODLE: Finally, in December, a research team disclosed an attack named POODLE, short for "Padding Oracle On Downgraded Legacy Encryption." In short, it took advantage of the fact that, in order to maximize the chances of finding one in common, browsers and servers often support a wide variety of encryption standards—some of which date back years, or even decades. POODLE describes a way to convince browsers and servers to use one of the oldest such standards, SSL 3.0, where the researchers had found a vulnerability.

The easiest fix for this vulnerability is simply to disable SSL 3.0, as many browsers have begun to do (and which our browser extension HTTPS Everywhere does, where possible). POODLE serves as a reminder that security it only as strong as its weakest link—and we must keep that in mind when designing and maintaining security systems.

With all eyes on our security tools, it seems likely that problems will continue to get discovered in 2015 and beyond. But with Internet users increasingly signaling that privacy and security are a priority, we trust they continue to get the serious resources and fixes they deserve.

This article is part of our Year In Review series; read other articles about the fight for digital rights in 2014. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.

Related Issues

Security

Related Updates

Deeplinks Blog by Karen Gullo | April 1, 2024

Ola Bini Faces Ecuadorian Prosecutors Seeking to Overturn Acquittal of Cybercrime Charge

Ola Bini, the software developer acquitted last year of cybercrime charges in a unanimous verdict in Ecuador, was back in court last week in Quito as prosecutors, using the same evidence that helped clear him, asked an appeals court to overturn the decision with bogus allegations of unauthorized access...

Deeplinks Blog by Paige Collings | March 8, 2024

Four Voices You Should Hear this International Women’s Day

Around the globe, freedom of expression varies wildly in definition, scope, and level of access. The impact of the digital age on perceptions and censorship of speech has been felt across the political spectrum on a worldwide scale. In the debate over what counts as free expression and how it...

Deeplinks Blog by Paige Collings, Thorin Klosowski | March 8, 2024

Four Infosec Tools for Resistance this International Women’s Day

While online violence is alarmingly common globally, women are often more likely to be the target of mass online attacks, nonconsensual leaks of sensitive information and content, and other forms of online violence. This International Women’s Day, visit EFF’s Surveillance Self-Defense (SSD) to learn how to defend yourself and...

Deeplinks Blog by Karen Gullo | February 7, 2024

Protect Good Faith Security Research Globally in Proposed UN Cybercrime Treaty

Statement submitted to the UN Ad Hoc Committee Secretariat by the Electronic Frontier Foundation, accredited under operative paragraph No. 9 of UN General Assembly Resolution 75/282, on behalf of 124 signatories. We, the undersigned, representing a broad spectrum of the global security research community, write to express our serious concerns...

Deeplinks Blog by Karen Gullo | February 7, 2024

Draft UN Cybercrime Treaty Could Make Security Research a Crime, Leading 124 Experts to Call on UN Delegates to Fix Flawed Provisions that Weaken Everyone’s Security

Security researchers’ work discovering and reporting vulnerabilities in software, firmware, networks, and devices protects people, businesses and governments around the world from malware, theft of critical data, and other cyberattacks. The internet and the digital ecosystem are safer because of their work.The UN Cybercrime Treaty,...

Deeplinks Blog by Cooper Quintin | January 31, 2024

Worried About AI Voice Clone Scams? Create a Family Password

Your grandfather receives a call late at night from a person pretending to be you. The caller says that you are in jail or have been kidnapped and that they need money urgently to get you out of trouble. Perhaps they then bring on a fake police officer or kidnapper...

Deeplinks Blog by Karen Gullo | January 29, 2024

In Final Talks on Proposed UN Cybercrime Treaty, EFF Calls on Delegates to Incorporate Protections Against Spying and Restrict Overcriminalization or Reject Convention

Update: Delegates at the concluding negotiating session failed to reach consensus on human rights protections, government surveillance, and other key issues. The session was suspended Feb. 8 without a final draft text. Delegates will resume talks at a later day with a view to concluding their work and providing a...

Deeplinks Blog by Paige Collings | January 19, 2024

EFF’s 2024 In/Out List

Since EFF was formed in 1990, we’ve been working hard to protect digital rights for all. And as each year passes, we’ve come to understand the challenges and opportunities a little better, as well as what we’re not willing to accept. Accordingly, here’s what we’d like to see a lot...

Deeplinks Blog by Bill Budington, Alexis Hancock | December 23, 2023

Sketchy and Dangerous Android Children’s Tablets and TV Set-Top Boxes: 2023 in Review

In a series of investigations this year, EFF researchers confirmed the existence of dangerous malware on set-top boxes manufactured by AllWinner and RockChip, and discovered sketchyware on a tablet marketed for kids from the manufacturer Dragon Touch.

Deeplinks Blog by Ross Schulman | December 13, 2023

Spritely and Veilid: Exciting Projects Building the Peer-to-Peer Web

While there is a surge in federated social media sites, like Bluesky and Mastodon, some technologists are hoping to take things further than this model of decentralization with fully peer-to-peer applications. Two leading projects, Spritely and Veilid, hint at what this could look like.There are many technologies used behind the...

Related Issues

Security

Three Vulnerabilities That Rocked the Online Security World: 2014 in Review

Three Vulnerabilities That Rocked the Online Security World: 2014 in Review

Related Issues

Join EFF Lists

Related Updates

Related Issues

Follow EFF:

Contact

About

Issues

Updates

Press

Donate