Security researchers recently announced a security flaw in OpenSSL, which is a popular data encryption standard. This security flaw gives hackers who have knowledge of it, the ability to extract massive amount of data from the services that all of us use every single day and assume are secure as much as they can be. The unfortunate thing is that this isn’t as easy as a bug in some app that can be updated easily. The vulnerability lies in the machines that power services that transmit what we think is secure information i.e. Gmail and Facebook.
Without even realising it, we may have been facing this bug for two years. It’s been quite some time since there has been a computer vulnerability bug that we had to worry about. This recently discovered bug has been labelled the “Heartbleed bug”. For those who want to understand its implications and how they can protect themselves, we have put together the following simple guide.
To put it simply, it’s a flaw in OpenSSL. This is the open-source encryption standard which is used by the majority of sites on the internet that need to transmit data users want to keep private and secure. The idea behind it is that it gives you a “secure line” when you’re chatting on IM or sending a private email. The way that encryption works is by making it so that when the data is being sent, it looks like gibberish to anyone but the intended recipient.
On the odd occasion, a computer might want to check that there’s still a computer at the end of its secure connection. To do that it sends out what is known as a “heartbeat". This is simply a small packet of data that asks for a response.
However, the problem lies in the programming error in the implementation of OpenSSL. What the researchers found recently is that it was altogether possible to send a disguised packet of data so that it looked like one of these heartbeats. The aim is to trick the computer at the other end of a connection into sending over personal and what should be secure data stored in its memory.
Google Security researcher Neel Mehta was the first one to report this to the team behind OpenSSL. The security firm Codenomicon later confirmed the bug which has been present in OpenSSL for two years. Exploiting the bug does not leave a trace.
You should be concerned because web servers keep a lot of information in their active memory. This includes passwords, user names and even the content that users have uploaded to a particular service. They can even pull your credit card numbers out of the data sitting in the memory on the servers.
However, the implications are even worse. This bug has made it possible for hackers to steal encryption keys. These are the codes that turn gibberish encrypted data into readable data.
It doesn’t end there however. If hackers have access to the encryption keys, they can intercept encrypted data moving to and from a site’s servers. This means they read it without having to establish a secure connection. Unless the companies running vulnerable servers change their keys, even future traffic is not safe.
Probably. The vulnerability has been in OpenSSL for nearly two years and by utilising it, it leaves no trace. You can safely assume then that your accounts may be compromised. However, this isn’t simply an issue on your computer or your phone itself. The problem lies in the software that powers the very services you use such as online banking, any online stores and even Facebook and your emails. Security firm Codenomicon reports:
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL”.
According to a recent Netcraft web server survey, out of the nearly 959,000,000 web sites they looked at, 66% of sites are powered by technology built around SSL. This does not include chat services, email services and the wide number of apps that are available on every possible platform.
About the only thing that you as an individual can do is to change your passwords immediately. This should be especially the case for services where privacy or security is a major concern such as your online banking accounts.
The good news is that the researchers who discovered the flaw, alerted the developers behind OpenSSL. This was done several days before anyone announced the vulnerability. All major service providers would have already updated their sites. This means that the bug will be less prevalent as the weeks pass.