Apr 11, 2014

Heartbleed: What is it?

In the past few days, there has been a lot of information floating around about a bug known as Heartbleed. The bug affects versions of a program called OpenSSL and can allow for severe information disclosure that could be used to nullify the encryption used to connect to affected websites. Here is a simple run-down:


SSL stands for Secure Sockets Layer and it is the primary form of encryption used to connect to secure sites. It's the "S" in "https" when accessing a secure web page (primarily for web sites that require log-in information, such as web mail, social media, banking, and commercial web sites.) Anywhere that you have to give a username and password, or any other sensitive information, you should be using some form of encryption, of which SSL is the most popular form.

*I explain SSL because that is the acronym used in the affected program (OpenSSL) and is the most popularly known such protocol. In actuality it appears that the bug is with the TLS (Transport layer Security) protocol, which is the successor/replacement for SSL. The fundamental concepts are the same.


The encrypted session is set-up and managed by the web site your are connecting to, and different web sites can use different programs to do this. OpenSSL is one such program. It is popular because it is open-source (the source code is freely available) and is free to install and use. Part of the functionality of this program is the use of a "heartbeat" which is a protocol used to determine if the OpenSSL service is functioning. A user sends a special request to the server running OpenSSL, which - if functioning properly - responds to and lets the user know that it is up and running as intended.

The Bug

There is a bug in certain versions of OpenSSL that can be exploited to return contents of the servers memory. When replying to a heartbeat request, the server can be induced (through the use of a specifically crafted malformed request) to return, not just the expected heartbeat value, but up to 64 kilobytes of whatever is in the servers current memory. 64 kilobytes is a lot of information, upwards of 64,000 characters.

An excellent graphical explanation is here:

The Impact

The contents of memory that are returned are random, but can contain any number of sensitive information including:
  • The private keys used by the server to encrypt the communication;
  • Usernames and passwords;
  • Cookies and other session information;
Access to this information could allow a malicious user to impersonate users, hijack sessions, or even decrypt traffic being sent to the web server. Since it is impossible to determine what information may have been disclosed through exploitation of this bug, the confidentiality of communication with affected web sites should be considered completely compromised. While this bug has only recently been publicly identified, it has been around for almost two years, and we can't be sure who has previously known about this bug and kept it to themselves.

What do to?

There is already a patch out that addresses this bug, and any web site owners that use this product should be implementing it, and issuing new certificates for their web server (since the existing ones are already compromised).

Many people have rashly suggested changing all your passwords RIGHT NOW, which is premature. So long as a web site is still vulnerable, your username and password can be compromised any time you use the site. Only after the web site has implemented a patch should you then change your password.

(Some) Affected Sites/Services:
  • Facebook
  • Instagram
  • Pinterest
  • Tumbler
  • Google (including Gmail, Youtube, Wallet, Play, and Apps)
  • Yahoo (including Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr)
  • Etsy
  • GoDaddy
  • Intuit
  • USAA
  • Dropbox
  • Minecraft
  • OKCupid
All of the above sites have made statements indicating that they were (or may have been) affected by the bug but have implemented measures to fix the vulnerability. While most of the sites say they have seen no evidence of compromise, there is no way to be sure.

(Some) Notable Unaffected Sites/Services:
  • LinkedIn
  • Apple
  • Amazon
  • Microsoft
  • AOL
  • Hotmail/Outlook
  • eBay
  • Groupon
  • Nordstrom
  • PayPal
  • Target
  • Walmart
  • Back of America
  • Capital One
  • Chase
  • Citigroup
  • E*Trade
  • Fidelity
  • PNC
  • Schwab
  • ScotTrade
  • TD Ameritrade
  • TD Bank
  • U.S. Bank
  • Wells Fargo
  • IRS
  • Evernote
All of the above sites have indicated that they were note affected by this vulnerability, either because they are not using OpenSSL or not using a vulnerable version of OpenSSL

  • Twitter
  • Netflix
  • Wordpress
These web sites and services have either not made statements or have provided ambiguous or conflicting information regarding the issue.

Ultimately, you should change the password for any service that was affected by this vulnerability. However, you should only do this when the web site or service has adequately fixed the vulnerability. Unfortunately, the two ways of doing this are not currently 100% reliable. You can rely on statements made by the owner of the web site (and trust that) or attempt to use one of the number of web sites out there purporting to be able to check for vulnerability to this bug. Unfortunatley for the latter, many of these services are not reliable, giving contradictory readings on multiple tries. In this case it is probably best to wait until the web site or service issues a statement indicating that they have resolved the issue.

If you use a web site or service not mentioned above and cannot find any statement made by the web site's owner, then it wouldn't be out of line to send an e-mail to the owner or administrator of the site to ask them if they were ever vulnerable, if they've fix it, and whether you should change your username and password.

As always in such cases, you should be wary of people attempting to take advantage of the fear and uncertainty. It's possible that some of the previously mentioned tools might deliberately give false readings on whether or not a web site is vulnerable to the bug. Additionally, people may attempt to send out phishing e-mails encouraging users to change their password which they then can capture. As a matter of course, you should be wary of any e-mail that asks you to change your password and should never use the links provided in those e-mails.

No comments: