Be Still My Bleeding Heart! Q&A on the HeartBleed Bug
What is it?
It’s a bug in the method a server and you use to secure your communications back and forth. It is present when you see the little padlock in your browser and the URL begins with HTTPS.
It is a bug in OPEN SSL. It affects version 1.0.1 through 1.0.1f (inclusive), and it affects servers that run Apache and NGINX mostly. Open SSL is used in a lot of things and the complete list of what is affected has yet to be tabulated, so there’s probably other stuff too. Apache and NGINX are the important ones to start with.
What does it do?
It allows bad guys to get important secret info.
A malicious actor can use the heart beat feature in the vulnerable versions of OPEN SSL to read the servers live memory, 64k at a time, an unlimited number of times.
They can try to extract valuable information, such as username and passwords, or worse, the private key used in public/private keypair crypto from the data they collect. This is especially damning as the heartbeat channel typically isn’t monitored, so this attack leaves no traces.
Is it bad?
Yes. The sky isn’t falling, but yes, it’s a bad one.
Most of the testing has been done in a controlled environment, against servers that the testers owned, so it may be different in the real world, but private information was successfully retrieved with this method.
A few brave souls have actually run POC code against servers they did not own, without the owners explicit permission. These people were able to retrieve some important information also, as well as opened themselves to all sorts of legal problems for performing free, unrequested, unauthorized penetration tests and kindly providing evidence that can be used against them on their blog. (We usually call that hacking, by the way.)
How can it be fixed?
The Sysadmins of the affected servers need to fix this. It’s on them.
This needs to be addressed on a per server basis.
If the server is using a vulnerable version of Open SSL, the Sysadmin for that server needs to upgrade Open SSL to 1.0.1g or recompile it with the -DOPENSSL_NO_HEARTBEATS switch to disable the heart beat feature if upgrading isn’t an option. They should get all new certificates, and to be extra safe perform a password sweep, and recommend their users perform one as well.
Why did we not know sooner?
Open SSL is free and maintained by a small team of volunteers. Because it’s free, lots of people use it. Mistakes happen.
Open SSl is maintained by a small team of volunteers, who don’t get paid for their efforts. Maybe it would be time to fund them properly, seeing the large number of services that rely on Open SSL. Perhaps we should start looking at performing in depth code reviews of all open source projects that power the infrastructure of the web?
Recent events have confirmed that there are adversaries actively trying to weaken secure communications in order to ease their interception, regardless of the fact that it makes them easier to access by anybody…
So What should I do?
- Use a “HeartBleed Checker” site, like this one: https://lastpass.com/heartbleed/
- Or this one: http://filippo.io/Heartbleed/
- Or the Chrome heartbleed extention, if you use the Chrome browser: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic to check if websites that you use are affected.
- Now is a good excuse to change your important passwords, regardless if the above shows you’re affected. (and regardless how annoyingly painful this is.)
- Start using a password manager like https://lastpass.com/ because you shouldn’t re-use passwords across services, and a password manager makes it easier to keep track of them.
- If you want to read more about it, there is an official page covering the bug that goes in greater details: http://heartbleed.com/
- Mashables has a hitlist of services affected, if you actively use one of these, you should look into changing your passwords: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Addendum: Maybe wait until the service you use, that is affected, has addressed the issue.
Cnet has compiled a list that shows services that have patched/recompiled Open SSL: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
As always, stay safe, and don’t hesitate to post questions in the comments.