If you have a friend who’s seriously into online security, you may well have seen them talking about something called “Heartbleed” over the past day or so. Alternatively you might’ve seen it mentioned on XKCD today. Unless you are that friend who’s obsessed with online security though, chances are you were probably left wondering exactly what they were on about.
In short, Heartbleed is a bug that allows anyone on the internet to read the memory from any site protected by popular OpenSSL cryptographic software library. That means that information across a number of sites and services, including email and instant messaging.
In theory, an attacker could use the vulnerability — which lay undetected for two years — to gain access to all the details usually kept safe by, for instance, banking and ecommerce sites including passwords, password hints and email addresses.
For a clue as to how dangerous the Heartbleed actually is, have a look at what the site providing information on it has to say about it:
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
Everyone. Thanks to the popularity of Open SSL, it’s likely that at least some of the sites and services you’re signed up with have been affected. According to Heartbleed:
Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
Open what now?
Right, so you know that it’s serious but what exactly is OpenSSL? Essentially, it’s and open-source implementation of the SSL. That, in turn, is the cryptographic protocol behind the S in every site that has HTTPS in its address bar.
It’s there to make sure no one can drop in and spy on you while you’re doing your internet banking, buying that new console online or instant messaging with your friends.
Heartbleed means that security layer is compromised, leaving sites all across the web vulnerable to attack.
It’s worth noting however that this isn’t a flaw in the SSL protocol but a programming mistake in the OpenSSL library.
What’s being done about it?
Well to start off with, a fixed version of OpenSSL has been released. In order for it to be effective though, it has to be deployed.
According to Heartbleed, operating system vendors and distribution, appliance vendors, independent software vendors all have to adopt the fix and notify their users. Service providers and users meanwhile have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
Until that happens though, sites and services will remain vulnerable.