What is Heartbleed bug?
Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.
The issue is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.
The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the internet’s web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.
There isn’t much that people can do to protect themselves until the affected websites implement a fix.
Why is it a big deal?
Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google researcher who was working separately.
It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
How does it work?
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
Which sites are affected?
There are half a million believed to be vulnerable so too many to list but there is a glut of new sites offering users the chance to check whether the online haunts they use regularly are affected.
While Facebook and Google say that they have patched their services, according to the Kaspersky blog, there is a long list of sites that are still vulnerable, including Flickr, OkCupid and Github.
One of the biggest tech firms remaining on the vulnerable list was Yahoo but, as of last night, it too seemed to have remedied the problem saying it “had made the appropriate corrections across our entire platform”.
Many more sites will spend the coming days scrambling to do the same.
Bruce Schneier called on internet companies to issue new certificates and keys for encrypting internet traffic. Doing so would render stolen keys useless, he said.
Worst case scenario
The bad news, according to a blog from security firm Kaspersky is that “exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen”.
Security experts say that they are starting to see evidence that hacker groups are conducting automated scans of the internet in search of web servers using OpenSSL.
And Kaspersky said that it had uncovered evidence that groups believed to be involved in state-sponsored cyber-espionage were running such scans shortly after news of the bug broke.