The Heartbleed bug, a newly discovered security vulnerability that puts users’ passwords at many popular Web sites at risk, has upended the Web.It’s an extremely serious issue, and as such, there’s a lot of confusion about the bug and its implications as you use the Internet.
What is Heartbleed?
Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers.That means a user’s sensitive personal data — including usernames, passwords, and credit card information — is potentially at risk of being intercepted.
The vulnerability also means an attacker could steal a server’s digital keys that are used to encrypt communications and get access to a company’s secret internal documents.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What is OpenSSL?
That stands for Secure Sockets Layer, but it’s also known by its new name, Transport Layer Security, or TLS. It’s the most basic means of encrypting information on the Web, and it mitigates the potential of someone eavesdropping on you as you browse the Internet.
OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 through 1.0.1f. OpenSSL also is used as part of the Linux operating system, and as a component of Apache and Nginx, two very widely used programs for running Web sites. Bottom line: Its use across the Web is vast.
Why is it called Heartbleed?
Heartbleed is a play on words referring to an extension on OpenSSL called “heartbeat.” The protocol is used to keep connections open, even when data isn’t being shared between those connections.
Why are some sites not affected by Heartbleed?
Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some Web sites use an earlier, unaffected version, and some didn’t enable the “heartbeat” feature that was central to the vulnerability.
While it doesn’t solve the problem, what mitigates the scope of the potential damage is the implementation of perfect forward secrecy, or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever. That means that if an attacker did get an encryption key out of a server’s memory, the attacker wouldn’t be able to decode all secure traffic from that server because keys use is very limited.
How does the bug work?
The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also “cookie” data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site’s private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.ly, but if the Web site’s bug has not been fixed yet, making the change could be useless — you’re just potentially giving an attacker your new password.
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
How to prevent heartbleed?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
How can the Internet best protect itself against catastrophic bugs like this?
*) Need safer passwords.
*) Websites need to implement One-Time-Passwords
*) Use of client certificates : Client certificates prove you are the person you claim you are. All you have to do is install it (and one works across many sites) in your browser, then choose to use it when a site wants you to authenticate. These certificates are a close cousin of the SSL certificates websites use to identify themselves to your computer.
Advantages of client certificates: No matter how many sites you sign in to with a client certificate, the power of math is on your side; nobody will be able to use that same certificate to pretend to be you, even if they observe your session.
*) End-to-end encryption :
The most effective way a website can protect your data is to never be in possession of it in the first place — at least, not a version it can read. If a website can read your data, an attacker with sufficient access can read your data. This is why we like end-to-end encryption (E2EE).
What is end-to-end encryption? This means that you encrypt the data on your end, and it stays encrypted until it reaches the person you are intending it for, or it returns to you.