What is Heartbleed?


April 18, 2014 | By: Adrian

HeartbleeHeartbleed Bugd is a defect in OpenSSL, the Internet’s most popular open-source encryption technology. It is estimated that two-thirds of Web Servers use OpenSSL, meaning a large number of websites have been vulnerable to attacks since March 2012. For example, when you see the letters https in your web browser, it means the web page you are viewing has been transmitted to you in an encrypted form. That means your data should be safeguarded from external eyes, thus a password or other personal information provided to the site should be encrypted. What the S means in https is that the you are transmitting web traffic that is encrypted using SSL. OpenSSL is simply a implementation of SSL, but also so happens to be the most popular implementation.

In the vulnerable versions of OpenSSL there is an extension known as heartbeat, which allows one to keep a TLS session open even when there is no traffic. A heartbeat request can be sent to the open session with malicious intent leading to what is know as a Heartbleed attack. The Heartbleed attack works as follows.

A heartbeat request is sent from one computer to another with some information and a size attribute, the receiving computer responds with a message of equal size. The code from the OpenSSL library that handles the heartbeat request will copy the message into its memory and at some point return the message. However, the flaw is that the heartbeat response will not check that the message being returned is the same size as the message received, but rather that it is the same size as the size attribute sent along with the heartbeat request. In theory, an attacker could send a one-byte message, but claim the size is 4000 bytes. The response would then send back 3999 bytes of data to the attacker that have nothing to do with the message. Making matters worse, OpenSSL is an encryption technology that deals with sensitive data so the data being sent back from memory could hold passwords or credit card information.

Who was affected?

Most of the Internet.  It is nearly impossible to conclude that a particular site was attacked because a Heartbleed attack leaves no trace of evidence. However, we recommend trying the site created by Filippo Valsorda. If you enter a URL into the search bar on the site Valsorda attempts to exploit the site using the Heartbeed bug and returns whether or not the site is susceptible to attack. Major sites like Facebook, Instagram, Pinterest Tumblr, Google, Yahoo, Dropbox, and GitHub just to name a few were all using OpenSSL, but have already taken measures to fix the problem. So if most websites have already fixed the bug then I do not have to take any action? Wrong.

What can you do?

It has been just over a week since the Heartbleed bug began to get the attention from major news corporations and thus most websites have taken action to correct the flaw. Even though they have taken action there is no guarantee that your information was not been compromised beforehand. If you are a user of any of the websites listed on this extensive list published by Mashable, we highly recommend you change you password as soon as possible. If you use one password for multiple sites and one of those sites was compromised someone may have access to all your personal information on a variety sites. If you need some help creating unique passwords for multiple sites check out these tips from LifeHacker, a great article to help you remember 100 unique passwords with one simple rule.

Leave a Reply

Your email address will not be published. Required fields are marked *