Most of web exposed after OpenSSL “Heartbleed” security hole is found

  • April 9, 2014
  • News

Just as we sang the praises of HTTPS connections for browsing security, our following article about the vulnerabilities of HTTPS and SSL/TLS appears more prudent. On Tuesday, a group developing security software noticed a tremendous hole in the implementation of much of the secure connections across the web.

In a long-form piece on what the so-called “Heartbleed Bug” is and isn’t, developers revealed that the leak has been present across the web since 2011. While it has been discovered by people that are trying to protect security, it is impossible to know for sure if or how much this leak has been used by hackers or surveillance groups. Further, making it public makes for a temporary security crisis, but was necessary to force websites into quickly implementing the official fixes.

For those unfamiliar with terms like HTTPS and SSL/TLS, you can check out our earlier piece on that subject here. We used an analogy involving sending notes and letters to explain the differences between HTTP and HTTPS connections. While HTTP is like passing a note, HTTPS is like sealing it in an envelope and writing it in a code that only you and your recipient understand. A choice selection to get you started:

One aspect of HTTPS is that you are much more likely to be able to find out whether your communications have been read. However, there is another security feature to consider: encryption. HTTPS connections are almost always encrypted by SSL/TLS, which is a protocol that is akin to your letter being written in code. Even if someone opens your letter, they shouldn’t be able to figure out what it says.

There’s a reason this doesn’t work perfectly, though. You have to, somehow, make your letter readable to its recipient. With HTTPS connections, your communications are automatically decrypted once they reach their recipient. This is reasonably secure, but you must have some certainty that you are communicating with who you think you are thinking with. For this reason, we have what are called “certificates.”

The problem with this leak is that the encryption keys, or passwords, have been made available. This means that anyone that intercepted your browsing data with a given website may have been able to grab your password from that website, thus enabling them to view the information you two exchanged. Without the encryption key, the data they snooped on would be unreadable. Even worse, this “Heartbleed” hole made it possible for this data gathering to occur without you or the website you communicated with knowing it happened. Usually, the snooping itself is fairly difficult to accomplish, regardless of whether the spy had the ability to decrypt the data they would eventually steal. Unfortunately, Heartbleed made this easy too.

The way this hole works doesn’t actually have anything to do with HTTPS connections or the integrity of SSL/TLS, per se. It is the way a particular implementation of these things was coded. That is to say that a correct application of this encryption works just as well as we always thought. The problem is that the OpenSSL library that is widely used to perform this encryption has had this flaw in several of its most recent versions.

According to Netcraft, about two thirds of web servers use OpenSSL to implement their secure connections. The Heartbleed vulnerability resided in this OpenSSL code, which is open source – it is perhaps the only reason the hole was discovered and publicized at all. It has already been updated and those running older versions are spared, too. The coders who discovered the hole said this about what they’ve been able to steal from themselves at present to test the leak’s severity:

We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

For those who might have intercepted encrypted data and had no way to decrypt it, learning of this vulnerability can give those hackers the ability to finally decrypt that data, even if it is several years old. If that happens, and it will be nearly impossible to know if it does unless you are later victimized in an obvious way, there is nothing you or the website with the vulnerability can do to protect that information.

Nonetheless, you should start changing your password for all of your accounts. If you are not already using a password manager and good password etiquette such as using a different one for each website, today’s the best day to start. While you can’t stop your old data from being decrypted, you can do something about the fact that it is likely that your present-day passwords are accessible on major websites. We suggest downloading LastPass pronto and if you are a student/have access to a .edu address, you can use LastPass Premium features for free.

The following websites are among the most famous to be known to have been vulnerable within the last 24 hours:

  • Yahoo
  • Flickr
  • RedTube
  • Stack Exchange
  • Slate
  • XDA-Developers
  • (VPN service)

You can find more at this link.

This is the tip of the iceberg in our coverage of the Heartbleed leak. Check on this page or click on the “Heartbleed” tag in this post or in the sidebar to see all of our postings on this subject.

Featured image by Yuri Samoilov (Flickr).


Note: Comments are provided by Disqus, which is not affiliated with Getting Things Tech.
Support This Site
Bitcoin Donations:

Litecoin Donations: