What is Heartbleed?

April 18, 2014 / By: Adrian

HeartbleeHeartbleed Bugd is a defect in OpenSSL, the Internet’s most popular open-source encryption technology. It is estimated that two-thirds of Web Servers use OpenSSL, meaning a large number of websites have been vulnerable to attacks since March 2012. For example, when you see the letters https in your web browser, it means the web page you are viewing has been transmitted to you in an encrypted form. That means your data should be safeguarded from external eyes, thus a password or other personal information provided to the site should be encrypted. What the S means in https is that the you are transmitting web traffic that is encrypted using SSL. OpenSSL is simply a implementation of SSL, but also so happens to be the most popular implementation.

In the vulnerable versions of OpenSSL there is an extension known as heartbeat, which allows one to keep a TLS session open even when there is no traffic. A heartbeat request can be sent to the open session with malicious intent leading to what is know as a Heartbleed attack. The Heartbleed attack works as follows.

A heartbeat request is sent from one computer to another with some information and a size attribute, the receiving computer responds with a message of equal size. The code from the OpenSSL library that handles the heartbeat request will copy the message into its memory and at some point return the message. However, the flaw is that the heartbeat response will not check that the message being returned is the same size as the message received, but rather that it is the same size as the size attribute sent along with the heartbeat request. In theory, an attacker could send a one-byte message, but claim the size is 4000 bytes. The response would then send back 3999 bytes of data to the attacker that have nothing to do with the message. Making matters worse, OpenSSL is an encryption technology that deals with sensitive data so the data being sent back from memory could hold passwords or credit card information.

Who was affected?

Most of the Internet.  It is nearly impossible to conclude that a particular site was attacked because a Heartbleed attack leaves no trace of evidence. However, we recommend trying the site created by Filippo Valsorda. If you enter a URL into the search bar on the site Valsorda attempts to exploit the site using the Heartbeed bug and returns whether or not the site is susceptible to attack. Major sites like Facebook, Instagram, Pinterest Tumblr, Google, Yahoo, Dropbox, and GitHub just to name a few were all using OpenSSL, but have already taken measures to fix the problem. So if most websites have already fixed the bug then I do not have to take any action? Wrong.

What can you do?

It has been just over a week since the Heartbleed bug began to get the attention from major news corporations and thus most websites have taken action to correct the flaw. Even though they have taken action there is no guarantee that your information was not been compromised beforehand. If you are a user of any of the websites listed on this extensive list published by Mashable, we highly recommend you change you password as soon as possible. If you use one password for multiple sites and one of those sites was compromised someone may have access to all your personal information on a variety sites. If you need some help creating unique passwords for multiple sites check out these tips from LifeHacker, a great article to help you remember 100 unique passwords with one simple rule.



Leave a Reply

Your email address will not be published. Required fields are marked *

 
 

Need Help?

Give us a call

786 393-5826

Talk with one of our professionals and start working with TECKpert today.

Speak with us

Over 25 national and regional awards

2018

Daily Business Review - Best Of Web Design - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #2

Communicator Award - General Manufacturing - Marmol

Communicator Award - General Lifestyle - Marmol

2017

South Florida Business Journal - Top Web Design and Development Company - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #3

Daily Business Review - Best Of Web Design - Ranked #3

Davey Awards - Silver Award - Zilbert

2016

South Florida Business Journal - Top Web Design and Development Company - Ranked #2

Daily Business Review - Best Of Internet Marketing - Ranked #2

Daily Business Review - Best Of Web Design - Ranked #3

Davey Awards - Silver Award - CorkageFee (website)

2015

Daily Business Review - Best Of Internet Marketing - Ranked #3

Daily Business Review - Best Of Web Design - Ranked #3

South Florida Business Journal - Top Web Design and Development Company - Ranked #5

2014

W3 Awards - Silver Award - CorkageFee (Mobile Application)

Communicator Awards - Award of Distinction - ERP Maestro

Communicator Awards - Award of Distinction - AADS

Communicator Awards - Award of Excellence - TECKpert

Davey Awards - Silver Award - CorkageFee (Mobile Application)

W3 Awards - Silver Award - Hubdin

2013

Davey Awards - Silver Award - Midtown Women's Center

Davey Awards - Silver Award - MSG Law

W3 Awards - Silver Award - Leon Cosgrove

Communicator Awards - Award of Distinction - 400SunnyIsles.com

Communicator Awards - Award of Distinction - Esolist.com

Communicator Awards - Award of Distinction - CSK Mobile

2012

Interactive Media Awards - Winner for TECKpert.com

Daily Business Review - Best Of Internet Marketing and Web Design