There has been a lot being said on the news and online about a bug or exploit which has come to be known as “Heartbleed”. While news outlets have attempted to help the average user to understand what this bug is/was and how it affects them, I have personally found that most of those explanations have not been satisfactory and decided to try and explain what Heartbleed is and what affect it could have on the individual user, according to the best of my understanding of it.
First, before I can delve into the problem of Heartbleed, I need to define some terms:
- SSL – Secure Socket Layer – A type of encryption protocol used to protect/obscure data sent between a user’s web browser and a website/server so that anyone in-between the two sees nothing but garbage.
- Open SSL – A form of SSL which was created in an “Open Source” community and has no hidden/proprietary methodology behind it. (Note: This means the code for programming language is openly available but, the encryption keys it generates are NOT.)
- Encryption – A way of obscuring data through the use of mathematical formulas and encryption keys pre-determined automatically between the web browser and the website/server in question. Encryption uses keys that are 128, 256, or 512 bits in length. NOTE: Other types of encryption, such as for email, also use keys but, the “public key” of the sender must be shared with the receiving party, it is not automatic like SSL.
What is Heartbleed?
Heartbleed is/was a vulnerability in Open SSL which allowed a person, when sending certain information to a server, to get a report back containing the current requests to the server residing in its memory. Simply put, if the person knew the right way to ask, the server would tell them everything it was currently thinking about, including full requests with usernames, passwords, whatever data was being requested, and the data returned by the server. Due to the fact that this was a direct feed from the server’s memory, before/after encryption/decryption had taken place, the data was visible in plain text to the attacker.
How does/did Heartbleed work?
Heartbleed was named “heartbleed” because it refers to a certain “heartbeat” functionality within Open SSL. A user could ask the server to respond with a certain amount of data or word if it was still up and running. For example, a user could say “Server, if you are still there say “Hi” and return 2 characters”, the server would then reply “Hi” back.
However, a user could also trick the server into returning more data than the requested word/data in question. So instead of asking for 2 characters, the user could say, “Server, if you are still there say “Hi” and return 1000 characters”, at which point the server would respond with “hi” plus 998 characters currently contained in its memory.
This XKCD comic illustrates the concept a little better.
What does Heartbleed mean for me?
This is where most major news networks will attempt to cause the average person to panic. Yes, it is possible that persons who knew about the Heartbleed bug could have stolen a site user’s login name, password, and other private information. This should not be downplayed as a “small thing” by any stretch of the imagination.
However, not every secure server in the world uses Open SSL. Many banks, shopping sites, and other web applications use another form of proprietary SSL instead of Open SSL. This means that the bug did not affect those sites.
It is also important to note that the majority of companies that do use Open SSL for their security have already patched or fixed the vulnerability, meaning their site is no longer able to show anyone’s private data through the flaw. That being said, users will likely get notifications from said companies suggesting that they change/update their passwords on the website, just in case someone had previously attempted to use the flaw to steal information.
If a user gets a notification from a company requesting that they change their password, they should first, double check that the email is legitimate because, chances are, spammers will use this as a perfect opportunity to create fake sites in order to steal information. Users should always look at the web address in their browser to ensure that the site is ACTUALLY their bank before entering any password information.
One the legitimacy of the password reset email has been confirmed, the user should go through the password reset process. Users should keep in mind that strong passwords have at least 8 characters in mixed case, numbers, and special characters.. The passwords should never be simple words. IE “secret” is a BAD password, but 53Cr3T would be stronger password. (Still, never use secret, password, God, or anything like that as a password, even with numbers as letters.)
That is Heartbleed in a nutshell. Hopefully this has shed some light on what the vulnerability is/was and how it affects the everyday user. Remember that while companies will do everything possible to keep customer data safe, whatever man-made security measures are created, someone can and will eventually find a way to break them. It is important not to panic when these things happen and to do whatever is necessary to protect one’s self when they occur.
Copyright 2014 Christopher Weitzel
Image Credit: David Goehring