The Heartbleed bug: how 7 missing lines of code impacted over two thirds of the Internet


On April 7, the IT industry was rocked when it was announced that over 60 percent of the Internet -- even secure SSL connections -- were vulnerable to attack due to a new weakness codenamed Heartbleed. The weakness lives in the OpenSSL cryptographic software library, which encrypts sessions between consumer devices and websites. It’s usually referred to as the “heartbeat” since it pings messages back and forth. Hence the name of the bug.

This is a critical vulnerability that is already testing the contingency plans of thousands of Linux vendors, as well as hosting companies. 

What does Heartbleed mean for consumers?

It means that even encrypted browsing can be seen and stolen by hackers without a trace. The weakness allows a hacker to gain access to the private key used to encrypt the web traffic -- allowing them access to all encrypted data going to or coming from that server. From both the consumer and company vantage point, they assume they’re safe. However, a hacker could be intercepting the network traffic and siphoning off personal information such as passwords, credit card numbers, account details, and more.

Companies began taking immediate action to patch this bug, but there was no way to tell what had already been affected. The bug had been around since 2012, giving hackers plenty of time to snoop around any server they could attack and siphon off data. And because of the anonymity that this bug afforded hackers, it will be virtually impossible for companies to detect if anything’s been stolen from their servers.

Ah! How do I stop the leak?!

As a consumer, there’s really nothing you can do other than change your passwords – as soon as the website is patched. However, you can test some of your more important sites here to see if it’s still vulnerable. The OpenSSL developers are aware of the issue and have already patched their library, now it just needs to be deployed. So if you’re running a Linux server be sure to update your OpenSSL library to the most recent, not vulnerable version (OpenSSL 1.0.1g).

Though, if you want to be as safe as possible, you might want to take Tor’s advice on Heartbleed: “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”

From our point of view this sounds like a structural quality issue, or more simply, a memory overflow issue. The bug allows an attacker to pull 64K at random from a given server’s memory. So it’s not exactly precise, but a hacker with enough skill could create a script to scrape an entire server.

It’s still a sobering thought to imagine how 7 missing lines of code (that what’s the patch contains) impacted over two third of the Internet. If this isn't a wake-up call for everyone to test the architectural quality of their web applications, I don’t know what is!

Filed in: Industry News
  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Damien Choizit
Damien Choizit Director of Engineering
Damien Choizit is a former Senior Solutions Engineer at CAST and current Director of Engineering at Group HN. He has over 10 years of experience as a software engineer and is dedicated to helping companies improve software quality.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item