The Heartbleed bug has made headlines all around the world after it was discovered that potentially two thirds of the internet was vulnerable. The erroneous code has exposed encryption keys to would-be hackers, meaning most of our sensitive data is easily stolen. We look at what this means for the future.
On Monday April 7th an urgent warning was released by the OpenSSL project detailing an extremely dangerous bug called Heartbleed. News of the vulnerability spread like wildfire, as it potentially affected the encryption software used by up to two thirds of servers on the internet, with serious implications for user data security. Large sites such as Yahoo, Flickr, DuckDuckGo, Eventbrite, and imgur were revealed to be at risk, while countless smaller portals, alongside email and instant messaging services, had also been exposed by the problematic code.
The worst part was that the vulnerability had actually been active for nearly two years, and there was no way of knowing if anyone had used the exploit due to it leaving no trace.
As reports of the bug proliferated across the web and spilled into mainstream media, users were confused by exhortations from some to immediately change their passwords, while others warned that unless the site in question had fixed the problem first, any new passwords would be just as vulnerable.
Security researcher Ivan Ristic worked through the night to produce a simple webpage where concerned users could test to see if a particular site had been compromised, while Mashable contacted the major social media and email providers to see if they had been affected by Heartbleed. Facebook, Google, Instagram, Tumblr and Pinterest revealed that they had applied fixing patches before news broke publically, but had not found any signs of data being stolen.
The general advice though was that users should change their passwords on these sites just to be sure. Tumblr even posted a message on its blog encouraging exactly that. "This might be a good day to call in sick and take some time to change your passwords everywhere" the blog stated, "especially your high-security services like email, file storage, and banking, which may have been compromised by this bug".
The Canadian government even took the extraordinary step of taking its e-filing tax service offline during one of the busiest times of the year in response to the Heartbleed problem.
"As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold", the Canada Revenue Agency said in a statement.
So what exactly is Heartbleed, and how can it be so widespread? The main problem with the bug is that it was contained in the OpenSSL cryptographic software library, which is the most popular form of security protocols used on the web. This meant the very code that was implemented to ensure communications remained secure and private, could actually be the biggest threat to these goals.
When you connect to a secure website or service, a private connection is established between your browser and the web server. You can usually see this by the padlock icon and https text that appears at the start of the website address in your browser's address bar.
This connection is validated by a certificate that the server issues to let your browser know that it is who it claims to be. Data transferred between the two is then encrypted via Secure Socket Layer (SSL), or its successor Transport Layer Security (TLS), which uses a mixture of public, private and symmetric keys that ensure only your computer and the web server can decrypt and read the sensitive information.
Once the session ends the keys are made redundant and discarded, as new ones are created the next time you log on. At least that’s the way it’s meant to work. Unfortunately a modification in the OpenSSL code called Heartbeat left a very serious hole in this supposedly secure process. It was discovered that by using a simple technique it was possible for hackers to download packets of data from previous secure sessions on servers running the code. This could include personal information and, more importantly, the actual keys used to protect them.
"Basically, an attacker can grab 64K of memory from a server" wrote security expert Bruce Schneier on his blog. "The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11."
Steve Gibson, co-host of the Security Now podcast, also commented on his show about the further capabilities of the bug, stating "It is a bidirectional exploit. So if the client had this then something you’ve connected to could come and get memory from you as well."
The bug was initially discovered by Finnish security company Codenomicon, with Google engineer Neel Mehta also being credited. While testing a new variant of its Safeguard software, engineers at Codenomicon found worrying errors relating to OpenSSL. To further explore the bug the engineers decided to hack their own site.
"We have tested some of our own services from [an] attacker's perspective", the company revealed on its hastily assembled Heartbleed website. "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
"These are the crown jewels", said the company. "The encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."
In this post-Snowden world, some commentators began to wonder whether this erroneous code, along with the high profile GoToFail bug recently found in Apple software, might not be a mistake at all.
"At this point," Bruce Schneier wrote, "the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof."
How much damage the Heartbleed bug has caused is almost impossible to gauge at the moment. Companies have scrambled to patch the code, while certificate issuing services are struggling heroically to meet the demands that this revelation has created. Whether anyone stumbled across the vulnerability during its two years in the wild is anyone’s guess, but the dangers can’t just be shrugged off. Although there isn’t much you can do about the past, Tumblr’s suggestion to take the day off and change all of your passwords is definitely a good idea. While you’re at it turn on two-step verification on as many devices and services as you can. It won’t protect you against Heartbleed as such, but it’s only a matter of time before the next big threat arrives, so we might as well get ready.