The Heartbleed bug is a recently discovered security vulnerability which puts users’ passwords at risk on several popular websites. It is an extremely serious problem that has single handedly turned the whole internet onend.
Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. According to the Internet research firm Netcraft, 500,000 websites can potentially be affected. This means that a user’s sensitive personal data, including usernames, passwords and credit card information is at risk of being potentially stolen. This also means that companies are in danger of having their server’s digital keys, used to encrypt communications stolen along with confidential internal documents.
Secure Sockets Layer (SSL), also known by its current name, Transport Layer Security, or TLS. It is the most basic means of encrypting information on the Web, and it mitigates the potential of someone eavesdropping on you as you browse the internet. The “https” in the URL of SSL-enabled sites like Gmail, rather than simply “http” is an indication of SSL.
In regards to open-source software for SSL implementation, the versions with vulnerability are 1.0.1 through 1.0.1f. OpenSSL is also part of the Linux operating system, and as a component of Apache and Nginx, two very widely used programs for running Websites. In other words, it is used extensively across the Web.
Discovery of the bug
Credit for the discovery of the Heartbleed Bug is given to the security firm Codenomicon and Google researcher Neel Mehta, who both found the bug independently, however, on the same day.
Mehta donated the $15,000 bounty he was awarded for helping find the bug to the Freedom of the Press Foundation’s campaign for the development of encryption tools for journalists to use when communicating with sources. Mehta has declined press interviews, but when asked for a comment, Google said, “The security of our user’s information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited.”
How it got its name
According to Vocativ, the term “Heartbleed” was coined by Ossi Herrala, a systems administrator at Codenomicon. It’s got a nicer ring to it than its technical name, CVE-2014-0160, which is the name for the line of code that contained the bug.
Heartbleed is a play on words referring to an extension on OpenSSL called “heartbeat.” The protocol is used to keep connections open, even when data isn’t being shared between those connections. David Chartier, chief executive of Codenomicon told Vocativ, “Herrala thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory.”
The name was specifically chosen to be catchy because the team at Codenomicon wanted something press friendly that could catch on quickly, to warn more people of the important bug. Soon after they named the bug, they bought the domain Heartbleed.com to educate people about the very destructive bug.
Some sites aren’t affected
Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some websites use an earlier, unaffected version, and some didn’t enable the “heartbeat” feature that was central to the vulnerability.
While it doesn’t solve the problem, what mitigates the scope of the potential damage is the implementation of perfect forward secrecy, or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever. What this means is, if an attacker did get an encryption key out of a server’s memory, the attacker wouldn’t be able to decode all secure traffic from that server because key use is very limited. While some tech, giants, like Google and Facebook, have started to support PFS, not every company does.
How the bug works
The vulnerability allows a hacker to access up to 64 kilobytes of server memory, but perform the attack again and again to get a massive amount of information. This means an attacker can, not only, receive only usernames and passwords, but also “cookie” data that Web servers and browsers use to track individuals and ease login. According to the Electronic Frontier Foundation, committing the attack repeatedly could yield more serious information, including a site’s private SSL key, used to encrypt traffic. With this key, someone could run a fake version of a website and use it to steal all other forms of information, like credit card numbers or private messages.
Changing your password
For many websites, changing your password will help protect your important information from attack. However, wait until you get confirmation from the website operator that the bug has been patched. It’s a natural reaction to want to change all of your passwords immediately, but if the website’s bug has not been fixed yet, making the change could be useless, you would only be giving an attacker your new password.
Checking to see if a website is affected
A few companies and developers have created testing sites to check which websites are vulnerable or safe. Two of the better sites are by LastPass, a company that makes password management software, and Qualys, a security firm. While these test sites are a good preliminary check, continue to proceed with caution, even if the site gives you an all-clear indication. If you’re given a red flag, however, avoid the site altogether.
Who came up with the bug
According to the Guardian, the programmer who wrote the glitchy code was Robin Seggelmann, who worked for the OpenSSL project while getting his Ph.D. studies from 2008 to 2012. Adding to the drama of the situation, he submitted the code at 11:59 p.m. on New Year’s Eve 2011, though he claims the timing has nothing to do with the bug. “I am responsible for the error,” Seggelmann said. “Because I wrote the code and missed the necessary validation by an oversight.”
As an open-source project, it’s hard to place the blame completely on one person. As Zulfikar Ramzan, chief technology officer of cloud security startup Elastica, explained to The New York Times, there’s so much complex code that people had been writing, and the particular protocol Heartbeat did not get enough scrutiny. “Heartbeat is not the main part of SSL. It’s just one additional feature within SSL,” he said. “So it’s conceivable that nobody looked at that code as carefully because it was not part of the main line.”
Is my bank account in danger?
Most banks don’t use OpenSSL, but instead use proprietary encryption software. But if you’re unsure, contact your bank directly for confirmation that the website is secure. Still, John Miller, security research manager for security and compliance firm TrustWave, suggests keeping a close eye on financial statements for the next few days to make sure there are no unfamiliar charges.