Posted by - Paul Martini, Co-Founder
A new program error/bug with the provocative name, Heartbleed, is making headlines this week, partly because it’s a flaw within the very technology designed to secure Internet communications. The SSL vulnerability takes advantage of a flaw in the TLS code involved with encrypting data to and from servers. Since the flaw is inside a fundamental library used by a large number of websites, the aftershock of this vulnerability can be devastating. Worse yet, if this vulnerability has already been exploited, it’s a ticking time bomb as the hacker may have already extracted sensitive keys that can be used to intercept and read a user’s data as it travels to and from a secure website.
The flaw is simple – from a programmer’s view, a buffer was not capped. What this means is that an area of memory used by software to store information was created and information was put into it, but the size of the area was not bound. This caused information outside of that area to be included, something that was never intended. In the case of this bug, that information may have included private keys that a server must safeguard in order to ensure communication is protected from end users. For example, as you’re logged into your secure banking site, encrypted “heartbeats” are sent to and from your computer and the server. The heartbeat response from the server included additional non-intended data, which hackers could analyze in order to extract sensitive data from the server.
The risks involved and what you can do to mitigate them:
- The flaw has been around undetected for a long time. If hackers have been using this technique, they may have obtained sensitive private encryption keys to many websites and servers. They may not have taken advantage of the information yet,
so if and when they do the damages can be immense.
- It affects an encryption package called OpenSSL, used by a large number of servers and websites. If you are an administrator and have any servers in your organization using OpenSSL, upgrade your OpenSSL packages if they are running version 1.0.1 through 1.0.1f. Older versions of OpenSSL are not affected (0.9.8, for example). This is good news as a large number of installs are on prior versions that were not affected by the bug. To check your version of OpenSSL on a linux server, try “openssl version”.
- You should consider changing your SSL certificates if you were on a vulnerable version of OpenSSL. If a hacker exploited this vulnerability, they may have your sensitive private SSL keys. If you are running a financial or highly sensitive server, replacement of your SSL certificates is a must.
- OpenSSL is primarily used on Linux and BSD operating systems, but can also be used on Windows. Don’t assume you are not affected just because you are running Windows.
Don’t Ignore MITM Risks
Although this flaw is primarily focused on web servers, there’s one aspect that is being ignored. If you are on a network that performs SSL decryption, you are at an even higher risk. If a hacker has exploited the gateway’s SSL key, they can have access to any and every website you are decrypting. Upgrade your MITM (man-in-the-middle) gateways immediately.
Here are some other helpful sites:
• Here is website set up by Codenomicon devoted to answering questions about Heartbleed: http://heartbleed.com
• This site includes a long list of sites and the whether or not they are vulnerable to Heartbleed: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
• Check URLs individually on this site: http://filippo.io/Heartbleed/