The newly discovered Heartbleed bug is being touted as the Web’s worst security bug ever. So, I decided to write a series of 3 posts explaining what it is, which sites are affected and what you should do to protect yourselves from this “Greatest Virtual Horror of All Time.”
So, what does it do?
It allows hackers to steal passwords and login details when users visit vulnerable sites — undetected. Now what’s even worse is that the affected sites probably have no idea they’re vulnerable.
Some experts have even estimated that up to 66% of the Internet’s servers could be affected. Also, each server has to be fixed manually so, it could take a while to do it.
But, how can this be? The web is so secure!
The web is not secure. It seems to be secure!
The problem affects a piece of software called OpenSSL, which is used for security on popular web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords, and cookies) cannot be seen by others while it goes from your computer to the website.
OpenSSL is an open source project, meaning it was developed by really talented volunteers, free of charge, to help the internet community. It happens that version 1.0.1 of OpenSSL, released on April 19, 2012, has a little bug that allows for a person (who may be a malicious hacker) to retrieve information from the memory of the web server without leaving a trace. This honest mistake was introduced with a new feature implemented by Dr. Robin Seggelmann, a German programmer who often contributes to security code.
Heartbleed exploits a built-in feature of OpenSSL called “heartbeat.”
When your computer accesses a website, the website will respond back to let your computer know that it is active and listening for your requests: this is called “heartbeat”. This call and response is done by exchanging data. Normally when your computer makes a request, the heartbeat will only send back the amount of data your computer sent. However, this is not the case for servers currently affected by the bug. The hacker is able to make a request to the server and request data from the servers memory beyond the total data of the initial request, up to 65,536 bytes.
The data that lives beyond this request “may contain data left behind from other parts of OpenSSL” according to CloudFlare. What’s stored in that extra memory space is completely dependent on the platform. As more computers access the server, the memory at the top is recycled. This means that previous requests may still reside in the memory block the hacker requests back from the server. Now, these bits of data consist of login credentials, cookies and other data that can be exploited by hackers.
I still don’t get it. Could you explain it in an easier-to-understand way?
Alright here are a couple of webcomics, from Xkcd, which might help you understand Heartbleed in an easier way:
Check out other parts of the series: