On April 7, the IT industry was rocked when it was announced that over 60 percent of the Internet -- even secure SSL connections -- were vulnerable to attack due to a new weakness codenamed Heartbleed. The weakness lives in the OpenSSL cryptographic software library, which encrypts sessions between consumer devices and websites. It’s usually referred to as the “heartbeat” since it pings messages back and forth. Hence the name of the bug.
This is a critical vulnerability that is already testing the contingency plans of thousands of Linux vendors, as well as hosting companies.
What does Heartbleed mean for consumers?
It means that even encrypted browsing can be seen and stolen by hackers without a trace. The weakness allows a hacker to gain access to the private key used to encrypt the web traffic -- allowing them access to all encrypted data going to or coming from that server. From both the consumer and company vantage point, they assume they’re safe. However, a hacker could be intercepting the network traffic and siphoning off personal information such as passwords, credit card numbers, account details, and more.
Companies began taking immediate action to patch this bug, but there was no way to tell what had already been affected. The bug had been around since 2012, giving hackers plenty of time to snoop around any server they could attack and siphon off data. And because of the anonymity that this bug afforded hackers, it will be virtually impossible for companies to detect if anything’s been stolen from their servers.
Ah! How do I stop the leak?!
As a consumer, there’s really nothing you can do other than change your passwords – as soon as the website is patched. However, you can test some of your more important sites here to see if it’s still vulnerable. The OpenSSL developers are aware of the issue and have already patched their library, now it just needs to be deployed. So if you’re running a Linux server be sure to update your OpenSSL library to the most recent, not vulnerable version (OpenSSL 1.0.1g).
Though, if you want to be as safe as possible, you might want to take Tor’s advice on Heartbleed: “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
From our point of view this sounds like a structural quality issue, or more simply, a memory overflow issue. The bug allows an attacker to pull 64K at random from a given server’s memory. So it’s not exactly precise, but a hacker with enough skill could create a script to scrape an entire server.
It’s still a sobering thought to imagine how 7 missing lines of code (that what’s the patch contains) impacted over two third of the Internet. If this isn't a wake-up call for everyone to test the architectural quality of their web applications, I don’t know what is!