April 18, 2014 by Joe Howanski
Over the last week, the Internet has been abuzz with the Heartbleed bug and its effect on OpenSSL sites. Most people have no idea what this means, nor what effect, if any, it will have on them. For that reason, I wanted to write this piece, just to do my best to make sure everyone can understand what went wrong and how it will affect them.
Let me start off by saying this: Unless you’re living under a rock and/or believe the Internet is the devil, you’ve run into the Heartbleed bug. It affects over two-thirds of all active websites in existence, according to Internet security company Netcraft, and represents one of the largest threats to Internet security and privacy. The formal name of the bug is CVE-2014-0160, following MITRE’s Common Vulnerabilities and Exposures nomenclature. For most, this is not important, but I’d be remiss if I failed to mention it. The bug is called Heartbleed because it leaks information from memory in the Heartbeat extension of Transport Layer Security and Datagram Transport Layer Security of OpenSSL’s implementation. Let me further explain those, before digging deeper into Heartbleed.
Secure Sockets Layer is a cryptographic protocol for secure communication on the Internet. It is the predecessor of Transport Layer Security and Datagram Transport Layer Security, which are both cryptographic means of securing communication. To explain it simply, these are security features that use unique keys to confirm your identity and then securely transmit information from the web server to your computer and vice versa. Most sites where private information is stored or transmitted will feature an “s” in their web address: “https://”. This “s” stands for “secure” and represents the usage of SSL/TLS on that website.
So now that we’ve covered a very basic explanation of what SSL and TLS are, let me briefly describe the Heartbeat extension, the area in which the Heartbleed bug occurs. The Heartbeat extension allows a connection to be kept open and stored in memory so that information is able to flow quickly and efficiently, like blood from your heart. This one pathway controls all the information and stays open to allow faster loading for users.
Finally, let’s talk about what Heartbleed is and how it works. Heartbleed is an exploitable bug, created accidentally by Robin Seggelmann, which allows individuals to basically fool the server into leaking its memory. By taking advantage of this bug individuals are able to get vital information from the server’s memory and use it for their own gain. You may be wondering why SSL/TLS isn’t preventing your data from being read as it is supposedly communicated “securely.” And it is, however, here’s the real problem that’s causing so many to worry: Heartbleed allows those who abuse it to obtain the encryption keys for the security protocols themselves. As I mentioned before, SSL/TLS use unique keys to encrypt and transmit data and by abusing Heartbleed you’re able to get those keys. Once you have them, you can do some major damage. All the information that the server communicates, even if it is secure, is now free game because you essentially have the “key” to all the “locks.” Credit card information, passwords, social security numbers, your pet’s name, your mom’s maiden name, all of it — it’s all available to those abusing Heartbleed.
But how bad can it be? Well, over 66 percent of all of the active websites in the world were vulnerable to the Heartbleed bug. And here’s the real kicker: The bug has been around since 2012 when it was publically released in OpenSSL 1.0.1 after being included originally in the code in 2011. And to top it all off, there’s no widespread way to detect if it’s being abused, so we have no real way of knowing how rampant the problem is. Sites like Facebook, Instagram, Pinterest, Tumblr, Yahoo, Netflix, SoundCloud, Dropbox, Github and Wikipedia are some of the giants who were affected. Even Google stated it applied some patches to its services, including Gmail and YouTube, although it stated users would not have to change passwords.
The bug itself was actually found independently by a Google engineer, Neel Mehta, and by a Finnish security firm, Codenomicon. They did not work together, but both made sure to alert OpenSSL to fix the major bug as soon as possible. Its existence was formally announced April 7, 2014, nearly two years after it was first accidentally added. Although many sites have since upgraded or fixed their SSL encryptions, due to OpenSSL’s widespread use, there are still thousands of services, devices and sites that are vulnerable. Codenomicon CEO David Chartier estimates that it will be a year or two before all OpenSSL services are fixed.
Overall, Heartbleed is a devastating blow to Internet security and has forced millions of users to change their passwords after making them vulnerable to data loss and theft. OpenSSL is maintained almost entirely by volunteers, and many have now begun to question such open source projects being used on a large scale without oversight. Whether something like this could have happened with closed source code is unknown, but there is no doubt that Heartbleed will garner more scrutiny on open source code; whether that’s good or bad, it’s impossible to know now. It will be interesting to see how open source code may be changed and what changes in security coding may come about. Expect to see that over the next few weeks, months and years, Heartbleed will spawn conversations on security, privacy and open source code. To conclude, Heartbleed has affected millions and will continue to do so, both directly and indirectly. We can only hope that we learn from this bug.
Joe Howanski is the business manager at The Triangle. He can be contacted at firstname.lastname@example.org.