HeartBleed

This week, it was revealed that one the Internet encryption tools had a major exploit. This, of course, was the HeartBleed exploit for OpenSSL. To understand this exploit and what it does, one must understand what OpenSSL is.

OpenSSL is an opensource implementation of the SSL and TLS protocols. Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which are designed to provide communication security over the internet and web applications. These encryptions are known as public-private key encryptions. This encryption works by creating two sets of keys: one is known as the public set and the other is called the private set. The public key is encrypted then that key is released to the public. The encryption can only be decrypted by the holders of the private keys. The user usually has the public key side and the private key, while the server has only the private key. While data is encrypted, it can only be accessed if the individual has both sets of keys but since the public key is encrypted an outside viewer can not see the public key. This is to prevent man in the middle attacks, which is when an outsider viewer looks at the traffic between the two parties, which will defeat the purpose of the encryption.

 main_the_middle

 

To gain access to the public key, the holder needs to have private key or the data will be unreadable. This allows the information to be sent over a non dedicated line. The difference between SSL and TLS is speed, TLS is a newer and improved way of doing public- private key encryption. There are multiple SSL certificates a website can have and the one that was affected by HeartBleed is OpenSSL.  In SSL their is a term called heartbeat, which the two sides of the connect send out at set interals to confirm that the connection is still alive. What HeartBleed does is that it sends out a fake heartbeat message to the server. This fake message that server receives is thought to be the a real heartbeat message but it is not, what it actually does, is the exploit records part of the servers memory including the private keys. One thing to clarify is that the exploit has to be run multiple times to get the full private key, this can take days/weeks to do.

image0041147247322269Even with that notice, that does not mean your data is secure, since to the average user there is nothing really they can do. For the site admins, they can do something, which means they need to update their SSL certificate if they are using OpenSSL, since the patch has been released to fix the HeartBleed exploit. Then after patching the Certificate, it is extremely important for the site admin to send an notification to its users to change their passwords. Users should only change their passwords on a patched server, since doing on an unpatched server is useless. This is because HeartBleed allows access to private key, so if one gain accesses to the private key via HeartBleed, they would able to decrypt the public key allowing them so see the password anyways.

So its necessary to find out if the sites you go are using OpenSSL, and that are not patched. The first thing is don’t log in, the second step would to find out if they have the outdated version of OpenSSL. To do that you should go to this site http://filippo.io/Heartbleed/ and follow its instructions to a scan of the site for the unpatched SSL protocol. If the scan says its patched or unaffected, then its safe to log in and change your password. If the site hasn’t updated its certificates, you shouldn’t log in, since you allowing your key to possibly to be exposed. For the most part all of affected sites have been patched, but you should still probably change your password. Another note is the sites that use SSL with have https:// instead of the normal http://.  Here is a nice list of some major sites that been affected and have patched their sites http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

It is important to note that the HeartBleed, was first found by a computer security team called Codenomicon, which means security experts believe they caught the exploit early on before it could do any real damage but it is too early to say the internet is safe from HeartBleed.

0 Comments

Leave a Reply