Heartbleed is all over the security news and forums. Everyone is talking about it, everyone is afraid of it, but let’s start with some basic information about what actually is Heartbleed, and what is its footprint.
The Heartbleed Bug is a serious security vulnerability in the most popular cryptographic software library OpenSSL. This weakness allows stealing the protected information, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
The name of the vulnerability comes from the basic SSL functionality called Heartbleed which allows one of the computers involved in the data exchange to send a signal known as Heartbeat to the other computer to check if it is still online and receiving data.
How it works?
The Heartbleed bug allows custom malicious heartbeat with fake identity to be sent to the second computer in the SSL connection with requests for transfer of sensible data. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. Those secret keys are likely of much more interest to hackers as with those secret keys they will be able to access encrypted communications on that site even after the Heartbleed bug is fixed.
Any type of data can be stolen by this method from personal communication information sent in emails to sensitive information as credit card details.
Who found it?
Heartbleed was found by a team of security engineers from the company called Codenomicon, who first reported it to the OpenSSL team, and a Google Security researcher Neel Mehta.
Who is affected by the bug?
Unfortunately, the Heartbleed attack leaves absolutely no traces so it is not possible to know if you have been targeted. However, you are likely to be affected directly or indirectly with it as it is rumoured to affect more than two-thirds of all the websites on the internet.
This scary number is based, of course, on the fact that the most notable software using OpenSSL are the open source web servers like Apache and nginx which are the most wide spread open source web servers and are powering more than 65% of all the active websites on the Internet.
How to protect yourself?
The regular internet user can not do anything about this issue. However, for the service providers affected by this bug this is a good moment to upgrade security strength of the secret keys used.
The one thing we can do as internet users is change the passwords we use for email and banking services, because even if the Gmail a likes are not affected directly, if you use the same password for any other online service (something you really shouldn’t do) then your email or online bank accounts could be at risk.
How can OpenSSL be fixed?
The fix for the Heartbleed bug is relatively simple. What all websites owners need to do is to update their systems to make sure they are running the latest fixed version 1.0.1g of OpenSSL or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option:
Where to find more information?
The official CODENOMICON Questions & Answers at – http://heartbleed.com/
The OpenSSL project has made a statement at – https://www.openssl.org/news/secadv_20140407.txt
NCSC-FI published their advisory at – https://www.cert.fi/en/reports/2014/vulnerability788210.html
If you are TMDHosting client there is nothing to worry about. All of our servers were patched in day zero against the heartbleed bug and our technicians are constantly monitoring for such bugs and issues.
Most affected from the bug will be some small companies or individual developers which may not even notice this issue and continue using their servers un-patched.
We will be following this topic and, in case there any further important updates, we will continue to inform you.