If you've visited a website in the last three years, you've likely been affected by what many consider the single worst security vulnerability to ever hit the Internet. This weakness, known as the Heartbleed bug, occurs in the popular OpenSSL library. Information typically protected by SSL/TLS encryption, such as private keys and passwords, can be stolen. Attacks also occur silently and without a trace.
What Is OpenSSL?
Before you can understand the Heartbleed exploit, you should have some familiarity with the technology that it impacts. Early in the creation of the Internet, developers realised that they needed to build in certain security features to solve two main problems. First, users needed a way to verify that the server they were communicating with was who it claimed to be. Second, users needed a way to encrypt communications between themselves and the server.
SSL, an encryption technology that allows you to share your confidential information with a web site securely, solves these two problems. Sites can buy digital certificates from trusted authorities that verify the site's identity. These certificates can also work with encryption keys to make sure that information sent to the site can only be read by the site. For example, if you buy a new office printer from eBay, only eBay can read the transaction, no matter who tries to intercept it. Likewise, websites using SSL can also create an encryption key for each individual user. A copy of each of these keys is stored on the website and on the user's computer. In this way, no matter who tries to eavesdrop on the communication, only the user can decrypt it and read the plaintext message.
Since the technology to perform these tasks is so complex, several companies have created packages to make handling SSL functions easier. OpenSSL has been, by far, the most popular of these packages. Developed under an open source license, OpenSSL is free to use. It has become a staple for many web-based companies. In fact, OpenSSL comes as a standard feature on some of the most popular web hosting platforms. These include Apache and nginx, along with many popular Linux distributions like Ubuntu, Debian, Red Hat, and Suse.
What Does Heartbleed Do?
When you connect to a server that runs HTTPS, a "handshake" occurs whereby the client and server agree on the connection's security. Once the handshake is complete, the client sends a "HeartbeatRequest" message to ensure that the server is still "alive" or present. The response message from the server to the client is a "HeartbeatResponse" message.
During this back-and-forth communication, a coding error within OpenSSL creates a vulnerability. Attackers can access up to 64KB of the server's memory. This 64KB may contain the user's username and password, or worse yet the private key for the server itself.
It's self-explanatory what a hacker can do with your user name and password, but what about the server's private key? This private key lets the hacker masquerade as the target server, tricking you (or your browser) into thinking that a phony website is the official one for a specific company. What's more, the hacker can decrypt previous sessions to read your data from prior transactions.
How Do I Recover From Heartbleed?
Unfortunately, as a user, there isn't much you can do. Changing your password won't help until the service you're using has fixed the problem on their end. Mashable and other sites have published a list of popular sites that were affected.
If you run a server that uses OpenSSL, first identify if your version is at risk. The Heartbleed vulnerability was added to OpenSSL at the start of 2012. According to OpenSSL's security advisory, versions 1.0.1 and 1.0.2-beta are affected. The good news is, a patch has already been created. You simply need to upgrade to the latest version.
If you don't run your own server and instead rely on a hosting company, that company must upgrade their OpenSSL to the patched version. Talk to your hosting company and urge them to fix the problem, if they haven't already.
After upgrading to the latest version of OpenSSL, any SSL certificates should be reissued, especially those used to protect sensitive data. Don't forget to have old certificates revoked as well, or the system will remain at risk.
We realise some of this can get pretty technical and the story continues to unfold. If you have any questions about this security exploit, please contact us.