By now, many people have heard about the Heartbleed vulnerability bug that has affected (and still affects) millions of websites that use encryption (SSL). Far more than just a “bug” Heartbleed hit a disproportionate amount of websites across the internet (2/3rds of all sites by some accounts) and took a giant toll on sites that followed security best practices and implemented SSL. Although most have heart of Heartbleed, many don’t really understand what it is. Let’s take a step back and see what this Heartbleed thing is all about.
How it Works
Heartbleed is a bug (not a virus) in a software called OpenSSL. Some quick facts:
- OpenSSL is used for security and encryption on a majority of web hosting servers.
- OpenSSL is an open-source project – developed by volunteers and is available free of charge.
- OpenSSL version 1.0.1 (released on April 19th 2012) has a very small bug – a mistake by a programmer (not intentionally malicious) that allows a person to retrieve information from the memory of the web server.
Let’s Get More Technical!
So how does Heartbleed actually work? The Heartbleed bug exploits a native feature of OpenSSL called the heartbeat. When your computer connects to a secure website (SSL/HTTPS), that website will respond back to your computer acknowledging the request and letting your computer know that it’s listening for further requests. By design, SSL, will only send back the amount of data your computer sent. However, the heartbleed vulnerability allows a person to request more information than they sent. This allows a potential hacker to request bytes of data from the server’s memory about the previous users that have sent a request. In fact, a hacker can request up to 65,536 bytes of information left behind by previous SSL users. What can be found in this data? Depending on the platform, this data can include anything from cookies, login credentials, and even credit card information!
What Can I Do?
As a server owner – patching OpenSSL to 1.0.1g is the first big step. After that, it’s important to re-issue any SSL certificates you’re using or have installed on the server. Finally, you should notify all users to change any login information that is stored on your server.
As a website owner – you should contact your web host to see if the Heartbleed bug is something that will affect you. If you use SSL (https) and store login credentials, chances are, you might be affected! Once the web host patches OpenSSL, you need to make sure to re-issue and re-install your SSL certificates and notify your users asking them to change their login credentials. As a website user – the most important thing to do is to change your login credentials. However, make sure the website has upgraded and patched their OpenSSL before doing so.
How Serious and Dangerous is This?
Although initial forecasts have mentioned up to 2/3rds of the internet sites affected, the reality of the bug might be more limited. Additionally, hackers don’t have an easy way to get all the data from the server – being limited to 65,536 bytes at a time. Busier websites (and servers) recycle the data more often, giving the hacker less historic data to use. It’s typically a best practice to use different passwords across different services and to change your password often. As long as you’re doing that, this bug will have very little effect on your daily operation. As a webhost or site owner, there is slightly more work, but nothing too tough. When in doubt, our team of experts can always help out!