Virtual Event Today: Ransomware Resilience & Recovery Summit - Login to Live Event
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed!

Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone.

Quantum computing certificate risks

The infamous Heartbleed bug turned ten years old on April 1. If we don’t act now, it will happen again courtesy of quantum computing – but this time it could be worse. 

The Heartbleed bug in OpenSSL was independently discovered by Codenomicon and Google in March 2014. Google reported it to OpenSSL on April 1, 2014. OpenSSL apparently wished to delay full disclosure to give time for fixes to be developed – but with two separate research teams discovering the flaw, the possibility of wider knowledge could not be ignored. 

Details were published on the CVE List with the identifier CVE-2014-0160 on April 7, 2014 – but April 1 is the widely recognized anniversary date. The problem was a small implementation error in the OpenSSL implementation of the TLS/DTLS protocols in versions 1.0.1 to 1.0.1f – but the effect was massive. 

Remote attackers could steal the X.509 certificate secret keys, usernames and passwords, communications, and documents. Netcraft figures for April 2014 suggested that two-thirds of the internet used servers using OpenSSL. Exploitation was undetectable.

The basic problem was that Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone. This will happen – the only question is ‘when?’. 

Kevin Bocek, chief innovation officer at Venafi, compared the Heartbleed of ten years ago to the future quantum debacle – let’s call it QuantumBleed. “Heartbleed required applications to be changed. And then the identities that were used with those applications – so TLS keys and certificates had to be changed. And there were multiple sub requirements within that because you had to reissue, you had to revoke, you had to install, and you had to validate that everything was complete. And when you did all those things, you were ready,” he told SecurityWeek.

But for QuantumBleed, he continued, that would just be the first stage. “In the post quantum world, we will have to do that multiple times, and more often than we might think.” Google has already reduced the acceptable lifespan of a certificate to 398 days. In March 2023, it proposed reducing this to 90 days in its ‘Moving Forward, Together’ roadmap “With quantum decryption we may be advised to change our certificates more frequently than 90 days, or maybe we will be advised to change them tomorrow.”

With QuantumBleed, all the original problems from Heartbleed, the long tail of remediation efforts magnified by today’s more complex and distributed infrastructures will kick in – but repeatedly.

Advertisement. Scroll to continue reading.

Speaking with the Intelligence and National Security Alliance on March 19, 2024, Gil Herrera, director of research at the NSA described the arrival of quantum and its decryption capabilities: “If this black swan event happens, then we’re really screwed.” He is concerned that the world economy – and especially the US economy – would suffer since most of the world’s financial transactions are secured by RSA.

Dennis Mandich, the CTO at Qrypt, responded on LinkedIn that this is no ‘black swan’: “This is really a “White Swan” event – easily predictable with severe consequences, even if we do not know the date.” Fundamentally, it is black if we are not prepared, but white if we are prepared.

It is important to note the difference between quantum RSA decryption and non-quantum RSA cracking. The latter could, technically, have already occurred. National intelligence agencies could have achieved this – but they would keep it secret and for their own use only. Achieving full quantum computing would be too massive to hide. Knowledge would escape. 

Cloud quantum computing already exists on a limited scale. This would expand until everyone, intelligence agencies and criminals alike, would have access and be able to decrypt certificates. This is the fundamental reasoning behind the NIST drive to produce quantum proof encryption algorithms to replace RSA – to transform the black swan event into a white swan event. 

The problem is that developing these algorithms and transitioning commerce to their use will take time, and we don’t know how much time is available. Predictions for the arrival of RSA decryption-capable quantum computers (Q-day) vary from anything between five and twenty years.

Charles Blauner, CISO at Team8, told SecurityWeek that lack of preparedness for quantum is one of his major concerns. “I don’t view that as a major risk in the next year or two. But it does scare me, the lack of preparation for when that’s going to happen, because no one knows exactly when it’s going to happen.” His concern is not so much that we cannot prepare for it (with NIST’s quantum-proof algorithms), but that we haven’t begun the preparation.

“It can take a decade or more [for large organizations] to swap out cryptographic infrastructures,” he continued. “If quantum at scale happens within seven years from now, then we’re in deep trouble because we haven’t begun that migration yet. The cryptographic infrastructure, especially around things like software updates, software signatures and all that stuff, is fundamental to the security of the internet.”

Bocek agrees that QuantumBleed is the biggest mid to longer term threat we face today. He is slightly more optimistic than Blauner. He believes that if we really begin to understand the importance of the issue, we can achieve it in less time. But it’s still a mammoth task.

“RSA is the foundation on which we’ve built modern cybersecurity, modern digital commerce, and modern social media. How do I know I’m actually connecting my phone to Facebook, or YouTube, or Zoom? How do I know my app is really connecting to the cloud? It’s because of RSA – and when that crumbles, everything else stops working.”

It will crumble. We cannot stop that. All we can do is replace RSA with something that will be QuantumBleed resistant. That will require swapping out all of RSA usage and replacing with NIST’s quantum proof encryption algorithms. “That cannot be done overnight,” he said. “It’s a migration that will be measured in years, not months. So, get started now.”

Related: Cyber Insights 2024: Quantum and the Cryptopocalypse

Related: Apple Adds Post-Quantum Encryption to iMessage

Related: Tech Giants Form Post-Quantum Cryptography Alliance

Related: Quantum Attack Protection Added to HP Business PCs

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.