Heartbleed Bug Bypasses Web Encryption, Exposing Personal Data
A significant security vulnerability called Heartbleed could allow hackers to gain access to private keys and other highly sensitive information on many widely visited websites.
The problem, discovered Monday night, is in some versions of the popular open source software OpenSSL, used to encrypt web communications. The vulnerability is in the service’s heartbeat feature, which allows servers to maintain a secure connection over an extended period of time.
It was discovered independently by Finnish security company Codenomicon—which set up a site with technical information about the bug—and Google researcher Neel Mehta, both of whom reported their findings and facilitated the response.
The breach involves SSL/TLS, which is the encryption technology marked by a small, closed padlock icon preceding “https:” in the URLs on web browsers used to signify a site is secure. With the Heartbleed glitch, traffic is susceptible to infiltration even if the padlock is shown. OpenSSL is the only variant of SSL/TLS affected, but it is also one of the most common on the Internet.
that the bug was introduced in 2011, apparently due to a programming error when updating the code for OpenSSL. A missing bounds check means that it’s possible to send a well-disguised, malicious message that looks like a heartbeat communication to trick the computer at the other end into sending up to 64 kilobytes of data stored in its memory. That includes private information such as usernames, passwords, and credit card numbers, and it also means an attacker could get copies of a server's digital keys and then use them to read communications or impersonate servers. Exploiting the bug doesn’t leave a trace of anything out of the ordinary in the coding logs.
OpenSSL is used by about two-thirds of the servers on the Internet. The services confirmed to have been affected by the security weakness include most of Yahoo’s properties, including Yahoo Mail, Tumblr, and Flickr; the dating site OKCupid; and the image-sharing service Imgur. Though there have not yet been any reports of a breach, the potential for attacks extends to other email clients, virtual private networks, banking sites, and even portals run by the government.
Because of the far-reaching implications and the length of time the vulnerability has existed, it’s safe to assume most people will be affected, either directly or indirectly. It’s recommended to change passwords, especially for services where security is a major concern.
A patch has been released, and many website managers and network administrators have already installed it and reissued SSL security certificates. This presents a problem. Doing this on every server, for every user and service, is going to take some time. So if you’re particularly worried about privacy or security, you might want to try to stay away from the Internet for the next few days until the dust settles.