Security has always been a major concern for the Internet users. One of the biggest major flaws in the security was recently found, and it was named as "Heartbleed". The Heartbleed is termed as one of the most serious vulnerabilities in the OpenSSL library. As soon as this issue was found, we got to know this isn't any small, and websites such as Yahoo and Amazon have been impacted with this.
According to Heartbleed.com, The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
How does Heartbleed work?Basically, this works with the encryption keys. Every website has its own encryption keys with which each password set by the user gets encrypted and saved so that the password isn't directly available to the hacker or someone trying to breach into the system. But if that encryption key gets available, there is no need to try cracking into the system by the other ways because there is a direct access available with the key. The SSL/TLS protocol is what encrypts the traffic to and from the server of the website, and there are different libraries which can be used in the protocol, in which the OpenSSL library is one of the most widely used open-source library. The Heartbleed bug is only in the OpenSSL library, and it has been there since December 2011. The OpenSSL library has been the default one in around 66% of the websites using the Apache and Nginx server software. One of worries here is that while all this happens, the website owners won't even know that the theft has occurred. It is so deep that if the affected website has been taking the payment information from the users, even that could be easily stolen by the one who grabs the encryption key and deciphers the data. A finnish security firm Codenomicon, and a Google researcher working separately discovered this bug and they made this information public, and there is no information whether any websites have been affected due to this vulnerability but it is quite shocking that this was there since a couple of years and no one detected it. According to Yahoo, the websites in their network which were vulnerable to this bug included Yahoo, Comixology, Flickr, Imgur and OculusVR. The major players in the web world, including Google, Wikipedia, Twitter, Apple and Microsoft could have been vulnerable in the past but now, they are all safe. Go check the website by opening this website setup by Filippo - Click here. (this gives you an idea whether the vulnerability is there or not, but you can't sit back and relax if this doesn't find any vulnerability)
What can I do to keep my accounts safe?"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," wrote Roger Dingedine, the president of Internet anonymity software company Tor. Apart from changing the passwords of your account and staying away to prevent further damage, there is nothing you can do for now because it is all up to the webmasters to fix the things up. As given in the Heartbleed.com website, "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use," There is also a Google Chrome extension called Chromebleed which stays in the browser on the background, and keeps a check on the websites, and would let you know if a particular site you are browsing, has been affected by Heartbleed. The only thing you could do then is to change your account password if warned by the extension.
Steps to be taken if you are a consumer
- Check if the website has been upgraded and you have been told about this. If yes, then change your password so that the hacker has your old password and can't get into your account. If no, then let the website owner to change things and upgrade.
- Keep checking your credit card and bank transactions to learn about anything suspicious. Contact your bank if you see any transaction which wasn't there earlier.
- Don't keep yourself active on the websites which haven't fixed the issue, and its better to stay offline until the concerned websites are safe.
Steps to be taken if you are a developer
- Check below for the versions of the OpenSSL encryption engine, and upgrade to that version which is said to be safe
- The SSL certificate is the key for the hacker. Reissue and reinstall these certificates / private keys on the server. The previous keys would be able to decrypt any data / passwords, so you will have to request new SSL certificates after you install new keys for your server.
- The most important one - you need to contact your customers or users to change their password once the site has been fixed. The Heartbleed issue is now widely known already, thus it's good to contact your users and keep the reputation up while helping them keep their data protected on your website.
OpenSSL version and vulnerabilityHere is the status of the different versions of the OpenSSL and their vulnerability to the Heartbleed bug.
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable