Following the media coverage of its discovery in early April, the so-called Heartbleed flaw has been extensively written about. A major flaw, if any, Heartbleed is actually a coding error in the OpenSSL encryption software. The websites using OpenSSL are, or were for a few days, highly vulnerable to theft of data. Overwhelming for some, frightening for others, the flaw must be taken seriously in any event. The Heartbleed situation in four questions.
What is Heartbleed?
Heartbleed is neither a malware nor a virus. It is a flaw in the implementation of the OpenSSL security protocol. The latter is used to secure communication between two computers while protecting their identities. Heartbleed allows any internet user to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt traffic as well as the names and passwords of users. It also allows hackers to eavesdrop on communications and to steal data directly from the servers.
The flaw of the OpenSSL lies in this tiny line of code:
memcpy (bp, pl, payload):
Mempcy is a command that copies data by overwriting previously copied data. But, with Heartbleed, the data is stored in the system as information to be overwritten, but it is not, and the flaw allows for this data to be stolen.
How significant is the flaw?
Heartbleed allows a maximum 64 Kb of data to be retrieved, which may seem to be an insignificant amount. However, this represents a significant amount of information in plain text (64,000 characters!). Together, data retrieved from all servers represent a colossal amount of information. In addition, “the number of attacks from hackers is unlimited” as stated by Fox-IT, a company specialised in IT security.
The identity of the hackers may be equally important. Thus, a few days after the discovery of the flaw, the National Security Agency (NSA) was accused of having exploited this flaw for almost two years to collect the maximum amount of data on Internet users. While the Edward Snowden commotion had started to settle, these accusations did not bode well for the U.S. agency.
Has the flaw been fixed?
The OpenSSL protocol was developed as open software. This allows its users to modify the source code, and to deal with flaws of this magnitude. For April, an organisation for the promotion of open software, the open nature of the code has “substantially lowered the impact of this flaw.” OpenSSL has been updated but this still does not solve all the problems, as the update must be installed on all vulnerable servers.
The most popular websites had already installed this update of the protocol before the media started reporting on the flaw. The servers are therefore no longer vulnerable to this flaw.
Nonetheless, mistakes can happen swiftly. Akamai Technologies, which manages almost 30 % of global traffic on its 147,000 servers, learnt it the hard way. For over 10 years, Akamai has been using a modified version of OpenSSL which provided “better security” against the Heartbleed flaw according to the Chief Technology Officer of the company. However, an independent researcher found “a code full of bugs and non-functional” in the patch provided by Akamai to its clients. The researcher believes that the update does not offer adequate protection against Heartbleed. This is particularly worrying given that Akamai’s clients are major banks, media groups and companies specialising in e-commerce.
However it is possible that other flaws will be revealed. Indeed, OpenSSL is crucial for websites that use it; however this project is far from being sustainable. Its developers are “desperately short of funds” according to the Research Manager of Sophos. The Wall Street Journal says that only four developers work on this project, only one of them on a full time basis.
What should users do?
For users, two steps are crucial to prevent personal information from being stolen. Firstly, it is essential to ensure that websites they use have updated their version of OpenSSL. This is already the case for most websites, including social networks and banks’, but checking is still important.
The second step is to change your passwords. This change must be put into practice after the OpenSSL has been updated, otherwise hackers may retrieve the new password.
Last but not least, in order to ensure protection of one’s information on the Internet, one should have different passwords. This is commonly known advice but unfortunately it not applied frequently enough. Yet, it is essential. Thus a unique and hard to guess password is good practice for sensitive websites such as banks’ websites. Passwords that are too simple such as “password” or “123456” are obviously prohibited, on any website.