12 Apr, 2014 No Comments Bobby How Security Works

Heartbleed is the talk of the internet right now. Bruce Schneier calls it “catastrophic.” An 11 on a scale of 1 to 10. Coming from Bruce, that means something. So what is it exactly?

What is Heartbleed?

Heartbleed is not a virus. Your computer cannot get infected by it and you won’t be affected simply by browsing the internet.

The problem has to do with certain secure (“https”) websites that are leaking sensitive information caused by a weakness in the programming. It can leak your information only if you visit one of these secure websites that has the issue.

The programming bug exists in the OpenSSL library. OpenSSL is installed on web servers to create a secure connection between your browser and the web server. Not all secure websites use OpenSSL. It’s estimated that about 17% of the secure websites in the world (500 thousand) are affected by Heartbleed.

How Does Heartbleed Work?

When you connect to a secure website (https instead of http), an encrypted tunnel is created between your browser and the web server that no one in the middle can see. It works because only you and the web server have the SSL keys to decrypt the data received from the other end.

While you’re connected to this secure website, you stay connected by what’s called a “heartbeat.” Your browser and the web server are sending a continuous “ping” back and forth to ensure the other side hasn’t disappeared. The heartbeat is intended to make the connection more secure and reliable.

The problem is simply a programming bug that makes it possible to trick the heartbeat into giving you sensitive information stored in the web server’s memory. First, bad guys will establish their own secure connection with the website just like you do. Then they will manipulate the heartbeat into sending them sensitive information they shouldn’t have.

The bad guys can’t control what they get from the heartbeat. It’s just random stuff stored in memory that the server has marked for deletion. So they’ll collect all this random data and sift through it until they find something useful. That may include your password, card info, or secret SSL encryption keys.

The SSL keys are the jackpot. If a hacker can get the secret keys that are used to encrypt all data going to and from the website, all bets are off. They can then eavesdrop on any secure connection made to that website, including yours. The secure “https” connection would be worthless.

Can I Fix it?

Nope. There’s nothing you can do about it. It’s completely up to the people who run the website servers. Until they get their end updated, the websites affected by this bug will not be safe to use.

The worst part is, this OpenSSL bug has been around for two years. That means any information you have sent to these affected websites in the last two years may have been stolen. But it doesn’t mean that it has.

It’s impossible to tell what information, if any, has been leaked. We don’t even know if any bad guys have known about this. It could be that the researchers who discovered it were the first, and it hasn’t actually ever been used. We just know that the possibility has existed for the last two years.

What Should I Do?

The Tor blog recommends that you stay off the internet for a while until it’s all sorted out. Unfortunately, that’s pretty good advice. Or at least don’t visit any secure websites that you’re not sure are safe.

If a site is affected, the web server people have to 1) update OpenSSL to fix the bug, then 2) revoke their old SSL certificates and get new ones. Because even if they update OpenSSL, it’s still possible that the current SSL keys have been compromised in the past two years. So even if the bug was fixed, without new SSL keys your secure connection to the site can’t be trusted.

What I recommend:

  1. Wait a couple weeks before using any secure websites unless you know it’s okay
  2. After waiting, change your password for every secure website you use, just in case
  3. Keep an eye on your card activity (as always, right?)

Note: Do not click on any links to change passwords in emails you might receive. Bad guys are sure to take advantage of Heartbleed by creating phishing sites to steal passwords. Always go to the site by typing in the address yourself to change your password – never with a link from anywhere else.

The one other thing you should do is make sure your browser is set to update its stored SSL certificates. So that when these sites do update their certs, your browser will automatically get the new ones. I don’t have a tutorial for this yet, but sign up for my newsletter so you’ll be notified when it goes up soon.

How to check for the Heartbleed bug

If there’s a website you want to check, try one of these testing sites. Go to the page, type in the address of the site you want to check (it will look something like “https://website.com”), and run the test to see if it’s affected.

http://heartbleed.criticalwatch.com/

https://www.ssllabs.com/ssltest/

If the site is affected by the bug, then don’t use it. But remember that even if it passes the test, it’s possible it could have been affected by Heartbleed and has simply been fixed. It may still have the old SSL keys. That’s what makes it so hard. You just don’t know.

That’s why website administrators have been sending out email notices. You’ve probably seen some in your inbox by now. They should include specific information about their website and if they have been affected and tell you what to do. But remember not to follow the links in the emails – go to the page by typing in the address yourself.

Unfortunately, this is just something we’ll have to wait out. Hopefully the web server admins will sense the urgency and get this stuff sorted out quickly. Just be cautious and follow the steps I listed above and you should be okay.