The Internet’s Most Widespread Vulnerability
Remember when you were a little kid and you and your friends had your own secret code words and no one was able to tell what you were saying??? Now, imagine that someone had a secret decoder ring and was able to understand everything you were saying. But this is the best part, you didn’t even know that a decoder ring existed for your imaginary language! Oh, and this decoder ring has been available in every box of cereal on store shelves!
Now lets change some of the details of the story….
- Store Shelves = Internet
- Cereal Boxes = Websites/Webservices
- Secret Code = encryption
- Friend = Server
- Decoder = Heartbleed bug
How many boxes of cereal were on store shelves that came with a prize? Imagine if 66% of them did. That is a lot of decoder rings.
 |
| xkcd comics |
From the Heartbleed homepage:
So, when you are accessing a website and sending your information out and getting information back, all this 'computer talking' should be encrypted, and no one should have the key except for you and the server you are talking with. And in some cases, this is probably true and hasn't changed.[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.
But if the website you are using protects information using any version of OpenSSL released in the past 2 years (May 2012), than you probably should change your password...NOW!
OpenSSL is used by the web servers Apache and nginx, it is used to protect "email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software." This pretty much includes more than half the internet.
Well, at least it was discovered by a researcher for Google and the security engineers at Codenomicon instead of a hacker, right??? At least everyone assumes, but there really is no way to tell for sure because Heartbleed is undetectable, untraceable.
The only way to be safe now is to change your passwords. If you have entered a password on any account that has been using the OpenSSL Versions issued in the past 2+ years, change it! But not until you know that the site has installed a patch and issued new certificates. If they haven’t, don’t try to access that account! Any information passed between you and the server is still susceptible.
For more information on the Heartbleed Bug, or to see if a site you use could be affected, check out these sources:
- Heartbleed Test: http://filippo.io/Heartbleed/
- Mashable's Heartbleed Hit List
- Another Heartbleed Test site: https://lastpass.com/heartbleed/
Resources:
www.heartbleed.com
http://mashable.com/2014/04/09/heartbleed-nightmare/
https://lastpass.com/heartbleed/
http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/
Heartbleed has been a hot topic in the recent weeks, this was an eye opener for everyone who assumed SSL is really secure. Nice post!!
ReplyDeleteI agree, Raj! And it has also been an eyeopener for people who don't assume themselves to be a target on the internet. All of a sudden, everyone has been exposed and many are now realizing how vulnerable they are just using those few web apps
ReplyDeleteThanks for the reminder - I still need to change most of my passwords. For anyone not using a password file manager such as 'LastPass', now is a good time to start. While a password manager has nothing to do with the Heartbleed it does make your online presence much more secure, as it's an easy way to store super long randomly generated passwords (that are unique to every login/website). With a site like LastPass, all of your data is encrypted locally which means if someone were to hack LastPass they would not be able to obtain your passwords.
ReplyDeleteThis is really helpful! I just changed all my passwords. Better safe than sorry, right?!
ReplyDeleteAlso, I'd recommend for those who use two-factor authentication like Google's to change their passwords as well. It does not matter if you use two-factor authentication or not. A main goal of SSL/TLS is the protection of the server's secret key. If attackers can obtain the key, they can decrypt your traffic. Then they can steal your session cookies and do everything without your token.
Ryan, you are right, having a password manager is really helpful, even if you don't use generated passwords, because with all the accounts and passwords we have in today's internet age, it is really hard to keep up!
ReplyDeleteKornchai, two-factor authentication won't mean a thing if your password could be leaked from the server.
ReplyDeleteI highly recommend that you change your passwords regardless of the account and security measures in place, but not till AFTER any sites using OpenSSL have been updated.
Really nice articles. Lots of information for those who are unknown about it. I have also changed my passwords in some of my accounts. We just have to change on those account which are affected by heartbleed bug. We can check from https://lastpass.com/heartbleed/ for the sites that are affected or not.
ReplyDeleteGood summary of the Heartbleed problem. The biggest change has to be changing the version of OpenSSL that is operating on the site. Fortunately, not all versions are vulnerable to Heartbleed. Once a protected version of OpenSSL is installed, then password changes can be made to secure all of the information.
ReplyDelete