Over the last couple of days, you may have heard about the rather ominous sounding Heartbleed bug – a bug that affected hundreds of millions of websites, exposing usernames, passwords, encryption keys, and other sensitive data. This bug went undiscovered for two years, meaning it's highly likely that some of your data was exposed, and may have been scooped up by enterprising hackers – and unfortunately, given the nature of this bug, there's almost nothing you can do about it.
As of this morning, despite the frenzied installation of security patches, a huge number of sites are still affected by the bug, and they will likely remain so for months to come. Read on to find out more about Heartbleed, and what you can do to protect yourself.
What is the Heartbleed bug?
Heartbleed is a bug in OpenSSL's implementation of the SSL/TLS protocol. OpenSSL is an open source library that manages secure, encrypted communications for the majority of online web servers. If the server supports encrypted communications – i.e. it accepts addresses that start with https:// – then there's a good chance that it's vulnerable to Heartbleed. You can use the Heartbleed test website to see if a site is vulnerable to the exploit.
I won't get into the technical details of what caused the Heartbleed bug in the first place – the Heartbleed website has all the info you might need – but I'll tell you roughly how it works and what data it exposes. Heartbleed, official designation CVE-2014-0160, is a bug in OpenSSL's heartbeat extension. It isn't important to know what this extension does, only that it was poorly coded (in coder speak, it lacked bounds checking).
This bug can be exploited by a hacker to read blocks of 64KB from the server's RAM. The hacker can only grab one 64KB block at a time, but he can keep going back for more until he's gathered all the data he needs.
With access to the server's memory, the jig is up. Passwords, security certificates (encryption keys), other sensitive details – they're all stored in memory, and they've all been exposed for the last two years thanks to OpenSSL's Heartbleed bug.
How to protect yourself/your servers from Heartbleed
If you're a server admin: The Heartbleed bug has been patched in version 1.0.1g of OpenSSL. If the updated package isn't available for your distro yet, the compile-time option of -DOPENSSL_NO_HEARTBEATS will also mitigate against the bug.
If you're a web surfer: The short and rather unpleasant answer is – there isn't much you can do to protect yourself from Heartbleed. If a website requires you to log in (to post a comment, to check your email) there is a good chance that hackers have had two years to glean your password from the server's memory. The bug is exacerbated by the fact that it leaves no trace in log files, so there's no way of telling if a password or encryption key has been exposed.
It sounds dramatic, but a bug of this magnitude basically necessitates that almost everyone on the Internet changes their passwords. There is a very high chance that your name and password is currently sitting on a server that is vulnerable to the Heartbleed bug. If you're a server admin, you really need to issue new security certificates for any affected domains.
Before you go and change your passwords, though, bear this in mind: Until all of your websites have updated to a secure version of OpenSSL, you're still vulnerable. How long will it take before the entire web is using a secure version of OpenSSL? Larger websites should be fairly quick to react to an exploit of this magnitude (Yahoo was vulnerable, as the above image shows, but is now fixed). By the end of the week, I would be surprised if there are any big web services that are still vulnerable.
As always with security vulnerabilities, though, it isn't the big sites you need to worry about: It's the forums and smaller e-commerce sites that don't have dedicated administrators that will probably be vulnerable for months or years to come. These smaller sites are notorious for running software that is months or years out of date, because no one can be bothered (or knows how to) perform the requisite updates. If you know someone who runs a smaller website or forum, send them a link to this story or to the Heartbleed bug website. Tell them that they really need to update to the latest version of OpenSSL.
The Heartbleed bug will cause ripples for years to come – and in the short term, possibly a tsunami of high-profile hacks as well, unless big websites move very quickly indeed. Following the bug's public disclosure on 7 April, there has already been a marked increase in the number of users reporting hijacked accounts. If a hacker manages to obtain the security certificates for a high-profile target, like a bank or government – which is a very likely possibility – there's almost no limit to the amount of damage that could be done. All because of a sloppy bit of coding by the OpenSSL team.