The Heartbleed Bug: Change Your Passwords Now
Security alert level: really high. On Monday of this week, security professionals received a scary message: a bug, named Heartbleed, had been discovered in a widely-used release of the popular open-source security protocol OpenSSL. What makes this bug truly scary is that it allows anyone on the Internet to extract 64 KB of working memory from a server running an affected version of OpenSSL at any time. And, the bug has been around for two years. And, it’s impossible to know whether or not it’s been exploited before. And approximately two thirds of all web servers use OpenSSL. Get the picture?
So, how does it work? In short, the bug is a simple coding mistake. There’s no flaw in the SSL/TLS protocol specification, but there is a problem with the OpenSSL’s implementation of the heartbeat extension. When a client and server communicate, they exchange a handshake or “heartbeat” to ensure that both machines are working and are correctly identifiable. In the problematic heartbeat implementation, the client sends a certain amount of data to a certain section of the server’s memory. Then, the server sends the same amount of data back. A variable called payload checks to make sure that the amount of data returned is the same as the amount of data received.
Therein lies the issue. Because of the extraordinarily simple bug the server does not check to make sure that it actually received the amount of data that payload said it did, making it possible for the server to send back a certain amount of data from the memory address that the original command specified. The client could send no data whatsoever, but if it says it did than the server will send some back. The danger lies in the fact that computers do not actually delete files from memory until they are powered down. Instead, they mark the data as overwriteable. When the client does not send any data to overwrite the memory in the address specified by the heartbeat command, the server simply grabs some random data out of memory and sends it off. This data could be your bank account password, or worse, the encryption key or admin login to the server.
Next steps? Change all of your passwords. However, if the affected server has not been updated to a patched version of OpenSSL, any effort you make will be fruitless. A number of affected sites, like Yahoo, have already worked on updating their servers. This weekend will probably be a good time to change passwords as that gives affected sites some time for them to be patched.
For further reading and more in-depth explanations of Heartbleed, see these articles: