Heartbleed
Unless you’ve been paying no attention at all to the internet over the past week, you’ve heard about Heartbleed. Also, unless you’ve ignored literally all of the news regarding the newly discovered vulnerability, you know that it’s a widespread and potentially severe bug in the OpenSSL security protocol. However, Heartbleed is a highly technical issue and there is little factual information with detailed analysis available to the general public. So, get ready for a quick primer on Heartbleed, what it means for you, and what it means for the internet at large.
What is it?
Heartbleed is the non-official name for a bug that was discovered in the OpenSSL security protocol. What is OpenSSL? It is an extremely popular security stack that is used by businesses of all sizes and in all industries. More specifically, OpenSSL handles the encryption of two-way communication between users and websites, between users and web applications, and between mobile applications and back-end servers. As you can see, then, any problem with the OpenSSL protocol has direct and immediate applications to basically anyone who uses the internet.
What caused Heartbleed, what does it do?
Heartbleed is a validation problem, introduced accidentally by a German programmer into the production version of OpenSSL. Specifically, there is an error in the way that TLS Heartbeat has been implemented beginning in OpenSSL version 1.0.1. What is TLS Heartbeat? It’s a method of communication between users or applications and a remote resource. An example could be a streaming video or a file that’s being downloaded, but it can also be dynamically refreshing page content such as a social media stream. In a normal Heartbeat transaction, a user’s software will request an update on the status or content of some data, and the server will respond accordingly. In affected versions of OpenSSL, however, a malicious user can make a specially crafted Heartbeat request and receive the contents of a random block of the affected computer’s RAM. This is known as a memory leak, or bleed, and is why the bug has been named Heartbleed. The most serious implication of Heartbleed, however, is that there is almost no evidence left behind after an attack. This means that even though services and websites can take proactive measures to close down Heartbleed in their applications, there’s no easy method for finding out if their data was compromised before the bug was publicly disclosed.
How was Heartbleed discovered?
Multiple independent researchers discovered Heartbleed while reviewing the source code for OpenSSL. These researchers were working on building and improving security testing tools both for publicly available applications and for internal tools at Google. Once they had documented and reported the bug, they made their findings public so that affected services could be made aware of the issue more quickly.
Is Heartbleed a computer virus? Can I catch it? Do I have it?
No, Heartbleed is not a computer virus which is a special type of computer software. Nor is Heartbleed a worm, which is similar to a computer virus. Heartbleed is a bug that was introduced due to a programming error, it can not be “caught” or sent to users.
However, anyone who uses a service that has implemented OpenSSL version 1.0.1 through 1.0.1f can potentially have their data hijacked by a malicious user. Furthermore, some mobile and desktop applications and operating systems do have OpenSSL built in, which makes those applications inherently open to a Heartbleed attack. This means that all users should educate themselves about the security stack used in their software, and that they should look for special instructions regarding all of their online accounts.
Furthermore, anyone who is running any type of server or who is using an internet router may also be affected. A simple checks are available via this online tool that can easily inform you of whether or not your or anyone else’s server is affected by Heartbleed, and you can also check this Mashable list to see if your favorite online service has updated their security yet.
What can I do about Heartbleed?
Unfortunately, unless you are a software developer or a system administrator there is little that you can do. Because the Heartbleed bug is a back-end system error, only the technical teams and developers have access to the affected systems. As an end user, you can however make sure that all of your software, web applications, and operating systems are up to date, and you can be on the lookout over the next days, weeks, and months both for security advisories from your online services, and for suspect activity in regards to your online accounts.
Luckily, if you want to be proactive about staying away from affected websites until they are patched, there are a few browser extensions available, for Google Chrome, and for Mozilla Firefox.
Has Heartbleed been fixed? What are the long term implications?
Unfortunately there is no central server hosting a single instance of OpenSSL, it is freely available software that can be used by anyone. Thus, even though the officially available version of OpenSSL is now secure from Heartbleed, it is up to individual service providers and software developers to ensure that their specific implementation is updated. This means that it could potentially take months or even years for all affected instances of OpenSSL to get patched.
Furthermore, there is mounting evidence that Heartbleed was discovered by malicious users at least several months before the public disclosure. This means that millions of users were at risk from attacks both from blackhat hackers and, perhaps more concerning, from the United States government and its intelligence community allies.
Because tracing Heartbleed attacks means that administrators must comb through thousands or millions of legitimate Heartbeat requests to identify seemingly malicious patterns, the work of finding past Heartbleed attacks is daunting and error-prone.
Will changing my passwords keep me safe from Heartbleed?
Yes and no. Heartbleed doesn’t necessarily allow attackers to focus on users directly. The wider issue is that it allows an attacker to gain access to the security certificates that act as a trust-building component of the internet. With these certificates, an attacker can fool software and users into visiting a fake website which can inject malicious software into their computer, they can hijack user sessions, and they can even decrypt communications and data that have been secured through encryption. Because of this, changing your password will have little effect if the system has been compromised due to the fact that the attacker can just decrypt your password again.
Thus, affected services that have updated their security have also willingly revoked their old security certificates and implemented new ones. This means that attackers who gained access to affected systems will no longer be able to control user sessions or decrypt new data. However, any downloaded data that was encrypted using the old key is still easily decrypted.
So, changing your password once a service has been updated with a secured implementation of OpenSSL will help to prevent further attacks, but it will do nothing if your existing data was already compromised.