As the Heartbleed flaw in the OpenSSL security software spreads to cause more problems, one of the issues highlighted is the possible decrease in internet speeds. This possible drop in speed will most likely be caused by the number of sites refreshing their security certificates as part of everyday interactions on the internet.
Whenever one computer talks to another on the internet, e.g. a home PC or laptop connecting to a webserver hosting a website, security certificates are exchanged so that the two machines can be sure of eachother’s identity. In short, because of the flaws in OpenSSL exposed by the Heartbleed bug, there are many more certificates being exchanged during these interactions, which causes the authentication process to take longer.
The estimated number of affected sites is thought to be around 500,000, and includes big names such as Google, Facebook and Dropbox, sites used everyday by hundreds of millions. However, these bigger sites are thought to have patched the security flaws in OpenSSL, which will prevent cyber-criminals from attacking web servers.
The updating of security certificates ties in with OpenSSL, as it guarantees a site’s identity. OpenSSL simply transports sensitive data to a destination in a secure fashion, but once at the destination the two points communicate with each other in order to verify the identity of one another. If one machine can’t prove it’s secure, the information will not be delivered. This is the same principle as how your email client blocks an email address if you mark it as spam.
The Heartbleed bug virtually rendered OpenSSL (SSL stands for Secure Sockets Layer) insecure, as criminals could get their hands on the security keys of websites which used the software. Once stolen, criminals could then use the key to impersonate another legitimate website, in order to gain information illegally.
The fact that big companies like Google or Facebook were affected does not mean that these corporations don’t take security seriously, it just highlights how common the use of OpenSSL is on the internet. This in turn highlights how quickly a virus or another security scare can spread across the internet if such a flaw is identified.
Some are now calling for these big companies, and governments, who use the OpenSSL software to a huge extent, to contribute to its maintenance and future research. Currently, annual donations to the OpenSSL foundation amount to $2,000, a mere pittance to somebody like Google or Facebook.