On the Heartbleed Bug

It is quite obvious that many everyday activities are slowing being phased out by their online counterparts. For example, people are less likely to do their shopping in stores, hand write and mail a letter to a relative, search for a relationship by means of going to a party or bar, or even watch a favorite television show through an actual television! As our daily lives become increasingly integrated into the internet, people seem to have acquired increasing trust in almost every website of use with some of our most personal information. Even the most casual internet users find themselves putting their name, phone number, and credit card credentials in the hands of faceless online entities such as Yahoo or Amazon. That said, the amount of information you need to store becomes even greater if you are a small business owner, real estate agent, lawyer, etc. yet even they don’t give it a second thought. All in all, we believe that our information is secure, right?

Unfortunately, the vast majority of websites and corporations do not have the know-how (or desire) to build their own “security system” from scratch, so they must rely on other resources. Some choose to buy proprietary software (which essentially acts like a black box), while many forgo proprietary software in favor of open-source software (OSS). Open-source software is one that has its source code freely available to the public. There are a number of advantages to using OSS, the most significant advantage being that anyone can view the source code to verify that there is nothing going on behind the scenes. However, there are very few people who are willing to invest potentially hundreds of hours scrutinizing thousands of lines of code in search of the tiniest flaws, which leads us to the Heartbleed Bug/Vulnerability. There is a widely used “security system” called OpenSSL which creates a secure connection between your internet browser and the server that contains all the information the site must store, so that you can transfer your username, password, e-mail, etc. safely. Somewhere deep in the source code, there existed a bug that allows individuals to acquire a random assortment of data from the server (Internet celebrity Randall Munroe explains it succinctly here. This random data could include pieces of information as mundane as status updates on what some user ate for lunch, to pieces of information as important as encryption keys and passwords. Even worse, individuals can even acquire credentials on the server itself, meaning they could ultimately control or have access to the entire server.

Observant readers will note that use of the word “existed” in the past tense, and it is true that OpenSSL has released a patch to ostensibly fix this bug; however, your information may still be at risk. Unfortunately, there are still a few things you should be concerned about and they are listed below in order of significance:

  1. Individuals exploiting this bug leave little to no trace of their actions.

    It is nearly impossible to determine whether a server’s security has been breached through this vulnerability, so thousands of pieces of information may have already been gleaned from a server, and we would be none the wiser. The only course of action for websites is to fix the vulnerability, urge users to change their passwords, and hope the damage was minimal.

  2. This bug has existed in OpenSSL for about two years.

    Though there has been a huge window in which individuals could have exploited this vulnerability, the likelihood of discovering this bug is small (though very much not impossible). However, now that the general public is aware of this bug, it is a race between server managers and the “bad guys”.

  3. Individuals who successful acquired usernames and passwords can still use them to “hack” into your accounts.

    You can bypass this by simply changing your passwords; a list of sites potentially affected by the Heartbleed Bug can be found here. One caveat: if the site on which you are changing your password has not yet applied the OpenSSL patch and taken the right steps to certifying that their servers are secure, your credentials will still be unsecure. As such, it is recommended that you change your passwords immediately, and change them once more when that site verifies that it is secure (if it hasn’t already).

  4. Ultimately, the world will probably never know the extent to which this bug has allowed “secure” information to fall into the hands of “hackers”. However, just as “the burned hand teaches best” (J.R.R Tolkien), this incident has prompted a change in the way we look at internet security.

Leave a Reply