On April 7th, Google and researchers from the defense firm Codenomicon dropped a bombshell on the web community when they announced the discovery of a flaw in the security software that makes webservers safe from data thieves. Here’s the lowdown on this latest security threat, and what users can do to keep their data secure.
What is Heartbleed?
Heartbleed is a programming bug in certain versions of the OpenSSL encryption software that runs on as many as 2/3rds of the servers on the web. Servers use OpenSSL to safeguard passwords, emails, banking information and other sensitive data. Each server has two encryption keys, a public key known to everyone and a private key known only to the recipient. When you log into a server that uses OpenSSL , the server and your computer or mobile device use it to set up encryption so no one can read the data while it’s in transit.
On servers affected by the Heartbleed bug, a flaw in the programming allows hackers to retrieve the data from a random 64 kilobyte chunk of the server’s memory. Since the attacker can’t control what area of memory the server reads from, they are basically playing roulette. They may get nothing, but they could also read secure data. In the worst case scenario, the hacker hits the jackpot and gains access to the server’s private master key, allowing them to decrypt any traffic sent to or from the server.
What Software is Affected?
OpenSSL is used in Apache and nginx, two of the most popular open source webserver operating systems that together comprise 66% of all webservers on the Internet. The Heartbleed bug affects all versions of OpenSSL 1.0.1 through 1.0.1f and 1.0.2-beta. The affected software came into widespread use on March 14th, 2012.
There is no way for users to know if an attack exploiting the Heartbleed bug has occurred in the past, but analysis of server logs has uncovered indirect evidence that hackers may have been using the bug for at least five months.
Operators must update to the latest version and replace their SSL certificate. If a server has been compromised, the attacker could have gained access to your sensitive data during the time the bug was active. If hackers have access to the server’s private master key, they can keep stealing data even after the patch if the operator does not change the SSL security certificate.
Large companies like Amazon, Facebook, Microsoft and eBay/PayPal have publically stated they are aware of the issue and their users need not worry, but it will take time for smaller providers to update their software and change their security certificate. The process of changing the security certificate is slow and expensive, so some companies may just update the software and leave their possibly compromised keys intact without notifying their users.
What Can Users Do to Safeguard their Data?
Now that the bug is out in the open and widely known, more hackers will be looking to exploit it before operators can patch their servers and close the loophole.
If a server has been compromised, the attacker could have gained access to your sensitive data during the time the bug was active. Since the problem is so widespread and smaller providers may be slow in replacing their keys, it’s very important for users to change their passwords on any account they want to keep safe. This includes banking sites, email credit card sites and web mail.
Some client software also uses OpenSSL. If you have received an SSL certificate from your hosting provider, have them send you a new certificate after they have patched the bug and updated their key.