What is Heartbleed?
This is one of the biggest flaws today’s internet has faced. The core of heartbleed is encryption and encryption standards used in the design of HTTPS. SSL and TSL – Security Sockets Layers and Transport Security Layer. These toolkits are commonly known as OpenSSL – toolkits to frame cryptography. A flaw in this toolkit is called Heartbleed – something which the human user nor the server side platforms have any clue that a security flaw exists – which can be taken advantage of by anyone.
When was this discovered?
Around Monday, the 8th of April, 2014. Severe implications for the entire web community were foreseen. This bug can leak sensitive user information and personally identifiable information like usernames, passwords, SSNs, credit card numbers, bank account details and transactions. This bug has been in place since 2011. And all this bug does is compromise 64K of information from a piece of the storage. That’s well enough to steal sufficient user personal information – more importantly that’s also enough to get a private key and decrypt that to find the rest of the information.
Who found the bug first?
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team (source:heartbleed.com). While this is not essentially a bug but a simple programming error that led to Heartbleed, Neel Mehta from the Google research community needs a big thanks for another reason – he also donated a $15,000 bounty he received as an award for discovering this bug to the Freedom of the Press Foundation’s campaign for development of better encryption tools. According to LATimes, “Both teams found that OpenSSL, an open-sourced security encryption program used by 66% of Internet servers, had a flaw that would allow any hacker using a simple script to gain access to a treasure trove of personal information”.
Who is responsible for this Heartbleed bug?
According to the Guardian, the programmer behind this code glitch was Robin Seggelmann who worked on the OpenSSL project for the Heartbeat extension. This extension is just an additional feature and is not the core part of the OpenSSL project. And since this was an open source in itself, one person cannot be blamed.
Nomenclature. Why is it called as Heartbleed, what’s the reason behind this nickname?
An engineer in Codenomicon coined it. The technical name, CVE-2014-0160 was named for the particular line of code that contained the vulnerable code. According to the systems administrator at Codenomicon who coined the term, he just played on the words ‘heartbeat’ which is an extension in the OpenSSL Toolkit. Ossi Herrala – the Codenomicon employee “thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory”. They even went ahead and bought the domain heartbleed.com from a group who owned it as a music lyrics site, so as to spread this security flaw among the IT community and they are quite happy with the outcome and the way the IT community has responded quickly to correct the flaw. Basically they just had to upgrade the OpenSSL toolkit version to the latest one to overcome this security flaw.
Why only few sites are affected?
Since the core problem was in the extension of OpenSSL toolkit called ‘Heartbeat’, which is the central point of vulnerability – any website which used this feature got affected. Although OpenSSL is popular, some websites used other SSL/TLS features and options. Some websites used an upgraded version or an earlier version of this toolkit, that’s why they escaped this vulnerability. While this doesn’t completely solve the problem at hand, not all companies use PFS or Perfect Forward Secrecy, a key agreement protocol in Cryptography. PFS keys are the most secured ones as on today as it ensures that the compromise of a single key permits access only to data protected by that single key. These have short shelf life, hence one key leak will not allow the leak of all data.
Am I really affected? Why should I care?
This is simply not another virus or bug wherein an antivirus can help you on your computer or smartphone. This is a more complicated bug (actually a programming error) on the services you use like hosting providers, bank servers and email service providers. Technically speaking this is not a client-end problem but a server-end issue.
Every user who uses email, browse internet, conduct business and ecommerce and every normal prudent surfer who cares for a secured browsing experience and have signed up for services, free or paid, online should care about this flaw and take corrective measures. More importantly if you have visited a website with HTTPS, trusting that it was a secured one all these days in the last few years, then you sure will be interested in knowing and learning about this further. And as an example, if you are a Gmail, Facebook or Yahoo email user, you better change your password now – for it is a suggested solution even by Google.
According to EFF (Electronic Frontier Foundation), this flaw allows an attacker who connects to an HTTPS server running a vulnerable version of OpenSSL to access up to 64KB of private memory space. Doing the attack once can easily cause the server to leak cookies, emails, and passwords. Doing the attack repeatedly can potentially leak entire encryption keys, such as the private SSL keys used to protect HTTPS traffic. If an attacker has access to a website’s private SSL key, they can run a fake version of the website and/or steal any information that users send, including passwords, private messages, and credit card numbers. Neither users nor website owners can detect this attack as it happens.
How do I know if my bank account was also compromised using this flaw?
Most banks use proprietary encryption software instead of the open source OpenSSL. Still, it’s wise to confirm with your bank information security personnel or their website for any press release related to this.
How do I know or check if a website has taken corrective measures or fixed this problem?
Password management companies have come up with ways in testing websites to check if the flaw has been corrected and if the website is safe or not. You can check LastPass – to see if the bug has been corrected by websites. Also, there would be press releases and news from the website themselves stating that the issues are fixed.
For example, The Canada Revenue Agency has extended the filing deadline for tax returns and promised to resume e-services by the end of the weekend for all federal departments using software vulnerable to the Heartbleed bug (Source: www.cbc.ca)
How to protect myself against this security flaw?
Keep an eye on your financial statements and bank accounts physically, not online.
Once you confirm that the bank websites are safeguarded, change your passwords.
Do not login to any sensitive accounts like bank websites and email accounts until you are sure that the flaw has been corrected.
Which websites need a password change right now?
You can first check what websites were affected and if they have taken corrective measures to release a patch. Mashable has collated a quite massive list of websites that need a password change. You can check them out here. These are some of the websites which were affected and corrected. So a password change is suggested, though not a must. As Google puts it, better be safe than sorry. Of course, keep in mind that the specific website must issue a patch to correct the flawed version of OpenSSL. Only then your password change makes sense.
What versions of OpenSSL are affected?
How widespread is this flaw in the internet sphere?