A very serious bug in OpenSSL, an open-source software library that is used to secure most of the Internet’s sensitive traffic has been discovered and publicly disclosed. The bug is being called “Heartbleed”, has a lot of system administrators and security teams scurrying to secure their systems.
OpenSSL is probably a part of your life in many ways. If the apps you use, or the sites you visit encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL. It seems that it’s possible to trick almost any system running OpenSSL into revealing chunks of data sitting in its system memory.
Why the concern?
Extremely sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication. This applies to usernames, passwords, credit cards, and other sensitive data. This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. With access to those keys, an attacker could impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.
How Did It Happen?
OpenSSL is an open-source program which anyone can contribute to and improve. Changes are submitted and reviewed before being added to the final release. Website administrators are then sent this release to update their systems. This meant the error moved from development team to the released version and eventually the websites without being identified.
German programmer Dr. Robin Seggelmann wrote the code for a new feature; it was reviewed by another member of the open-source community and then added to the OpenSSL software on New Year’s Eve in 2011. It was a simple programming error which unfortunately occurred in a security relevant area. It was uncovered by a team of researchers from Google Security and Codenomicon.
Affected sites, including Google and Facebook, have fixed the problem, but there are still thousands of websites who are yet to fix the problem. Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched, and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren’t issuing the advice.
What Should You Do?
Qualys, a Web security firm, has developed an easy tool that lets you scan any website to see if it’s vulnerable to the Heartbleed bug. Go to the Qualys SSL Labs page, type in the name of a website, and click “Submit” to assess its vulnerability to the OpenSSL Web encryption bug. When the scan is complete, you should see a notification telling you whether the site is hit by Heartbleed.
There is also a robust list of Android, iOS, Windows Apps, Websites and Video Game Services affected by Heartbleed on this site.
What’s the latest updates?
It turns out that the Heartbleed security flaw may not be as dangerous as thought, and may not have as much impact as might have been originally feared. Now that a few days have passed, and stringent testing has been done, it appears that, while still a critical issue that needs to be corrected, it may not be as far reaching as it might have been. There is good insight into the current status at The Verge website.
April 14, 2014 – Akamai Heartbleed patch not a fix after all! The Web infrastructure company’s patch was supposed to have handled the problem. Turns out it protects only three of six critical encryption values. Here’s the article discussing the issue.
April 15, 2014 – Every password you should change because of Heartbleed (the ultimate list),
Heartbleed, the massive OpenSSL security flaw, has led to panic. Major companies scrambled to fix the bug, and in the aftermath, expects are preaching a simple recommendation to nearly all Web users: you should probably change your passwords.
Just about every company and every security expert has said the same thing about passwords for years:
You shouldn’t use the same password on every site.
You should change them often.
Some security experts say you should wait a bit before changing your passwords. That’s fine, but it’s likely not necessary, as most major Web firms have long issued fixes. If you really want to be careful, you can check to see if a site is still vulnerable to Heartbleed before changing your password on it. Here’s the link again: Qualys SSL Labs