SSL, XP and Heartbleed: Financial Security Online


Security has been on the minds of a lot of people in the financial community as of late. Microsoft discontinued their support of XP on April 8th, the same day major news broke of Heartbleed, a widespread bug found by Google. This bug was found in OpenSSL, a tool that underpins one of the most common security measures on the entire Internet.

As companies utilizing the open source technology work to patch their systems, and let their customers know about their fixes, it is important to keep in mind what exactly happened, and how we got here.

Heartbleed was originally discovered as a vulnerability in the OpenSSL cryptographic library. This vulnerability would allow information being passed through SSL to be viewed or even stolen. Despite its reach, this bug did not break the entire Internet. Measures like Point to Point encryption, something most companies in payments and finance consider a bare minimum for security, remained reliable and safe.

Any system worth its weight, from email newsletters to complex banking systems, is layered like an onion with security measures; this prevents single exploits from impacting sensitive information.

While other companies, banks and businesses that rely on private software may not have had an issue on this same scale as Heartbleed, they themselves were tasked the very same day with massive software overhauls from XP on what, in some cases, may be hundreds or thousands of machines and networking systems.

Here’s the thing: It can be easy to look at something like a bug in OpenSSL and assume that open source software is more at risk than proprietary technology. The facts of open source software are that every company using it has an interest in both maintenance, and security. This security goes on as long as there is still interest in the piece of software.

When Heartbleed was discovered, work began immediately on a patch, and public disclosure of the bug was only made after that work was completed. This is the type of behavior that any company or individual with a stake could work towards or contribute to; Google and Amazon having the most resources to put towards the issue in particular. The entire process was absolutely transparent around the issues and risks, as ugly as they were to look at.

It is rarer and rarer for proprietary software to present problems or bugs that can raise the alarm of the entire Internet, but when issues are found, they can be fixed or patched with little to no notification or understanding of the issue. Users of that software may never directly understand how they were impacted, or put at risk.

In the case of Microsoft XP, a massively adopted and trusted operating system for over 10 years, all users, regardless of industry must now rework their entire system before any severe bugs are discovered in XP. Combine this with the learning curves of new software on employees and customers, and suddenly you have an equally enormous task as fixing Heartbleed.

For us as an entire industry, working to improve every part of our lives and businesses, it is in all of our best interests to be able to safeguard all financial information, at all times, on any platform.

The discovery of Heartbleed alongside XP’s retirement served as a great reminder, ‘How much security is enough security?’ The ongoing conversation is never far from minds of those in the world of tech and payments.