A closer look at how Heartbleed actually works

Fancy acronyms like TLS (Transport Layer Security) and SSL (Secure Sockets Layer) sound complicated to those not trained in network communications. You'd expect that the Heartbleed attack, which takes advantage of a bug in secure communications, would be something incredibly complex and arcane. Well, it's not. In fact, it's ridiculously simple.

When it's working correctly

First, a little background. When you connect with a secure (HTTPS) website, there's a kind of handshake to set up the secure session. Your browser requests and verifies the site's certificate, generates an encryption key for the secure session, and encrypts it using the site's public key. The site decrypts it using the corresponding private key, and the session begins.

A simple HTTP connection is a series of as-if unrelated events. Your browser requests data from the site, the site returns that data, and that's it, until the next request. However, it's helpful for both sides of a secure connection to be sure the other is still active. The heartbeat extension for TLS simply lets one device confirm the other's continued presence by sending a specific payload that the other device sends back.

A big scoop

The heartbeat payload is a data packet that includes, among other things, a field that defines the payload length. A Heartbleed attack involves lying about the payload length. The malformed heartbeat packet says its length is 64KB, the maximum possible. When the buggy server receives that packet, it responds by copying that quantity of data from memory into the response packet.

Just what's in that memory? Well, there's no way to tell. The attacker will have to comb through it looking for patterns. But potentially anything at all could be captured, including encryption keys, login credentials, and more. The fix is simple – check to make sure the sender isn't lying about packet length. Too bad they didn't think to do that in the first place.

Rapid response

Since exploitation of this bug leaves no traces, we can't really tell how much supposedly-secure data has been stolen. Dr David Bailey, BAE Systems Applied Intelligence's CTO for Cyber Security, said: "Only time will tell whether digital criminals are able to exploit this to acquire sensitive personal data, take over user accounts and identities and steal money. This specific issue will pass but it does highlight an important feature of the connected world, and illustrates the need for businesses and security providers to both be agile in how they address issues such as these, and adopt intelligence-led techniques that improve defences before weak spots are attacked."

It looks like most websites are demonstrating the required agility in this case. BAE reports that on 8 April it found 628 of the top 10,000 websites vulnerable. On 9 April, yesterday, that number was down to 301 – and this morning it had dwindled to 180. That's a pretty fast response; let's hope the holdouts get busy with fixing the bug soon.

The infographic above illustrates just how Heartbleed works. Click it for a larger view.

For advice on dealing with the consequences of Heartbleed, see our in-depth guide to what action you should take regarding Heartbleed and your passwords.