A critical OpenSSL vulnerability nicknamed “Heartbleed” was discovered recently and you need to know whether your information could be impacted. What is Heartbleed anyway?
What is Heartbleed
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). (source – Heartbleed.com)
Basic Things You Should Know About Heartbleed and OpenSSL
- The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
- OpenSSL is a library that provides cryptographic functionality to applications such as secure web servers. Be sure to read the documentation of the application you want to use. The INSTALL file explains how to install this library. OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson and the OpenSSL toolkit is licensed under an Apache-style licence which basically means that you are free to get and use it for commercial and non-commercial purposes.
- The Heartbleed bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
- The Heartbleed bug allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
- The Heartbleed bug is not a design flaw in SSL/TLS protocol specification. It is an implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.
Should You Be Concerned?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption doesn’t prevent hacking but it reduces the likelihood that the hacker will be able to read the data that is encrypted. Encryption is used to protect secrets that may harm your privacy or security if they leak. This bug has compromised secrets in four categories:
- The Heartbleed bug leaked primary key material – the crown jewels – the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.
- The Heartbleed bug leaked secondary key material – the user credentials (user names and passwords) used in the vulnerable services.
- The Heartbleed bug leaked protected content – actual content like personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption handled by the vulnerable services
- The Heartbleed bug leaked collateral – Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.
OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. You may be directly or indirectly affected if your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.
Users of OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL version 1.0.1g addresses the vulnerability, as well as OpenSSL instances compiled without the heartbeat extension.
What You Can Do
- If you are not using OpenSSL on your servers (or are not hosted on one of our Shared hosting plans), you are not affected.
- If you do use OpenSSL, identify which servers are running OpenSSL (versions 1.0.1 through 1.0.1f are affected).
- Update to the latest patched version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension, if applicable.
- Reissue any SSL certificates on affected web servers after moving to a patched version of OpenSSL.
- Test your SSL installations. You can also test your site here: http://filippo.io/Heartbleed/
- Revoke any certificates that were replaced. Please revoke AFTER the reissue has been completed and you have successfully installed it on your web server.
- Consider resetting end-user passwords that may have been visible in a compromised server memory.
Helpful Resources regarding Heartbleed
- What WordPress site owners need to do about the HeartBleed vulnerability
- Heartbleed test
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- The Programmer Behind Heartbleed Speaks Out: It Was an Accident
- Master List of Sites Vulnerable and Not Vulnerable to Heartbleed
- How to tell if Heartbleed could have stolen your password, and when it’s safe to change it
It is wise to take all the necessary precautions but without allowing panic to come in. Learn all you can and act accordingly.