Heartbleed: Romantic Name for a Potentially Catastrophic Security Flaw

By: Jerome Auza

I normally stay away from affairs of the heart but someone in the computing industry gave a quite romantic name to a potentially catastrophic flaw in a security system we trust: Heartbleed.  The flaw is described in detail using almost layman’s terms at www.heartbleed.com.

In a nutshell, the bug allows any unauthorized user to query a server and capture unencrypted data using OpenSSL, a popular open source implementation of the SSL protocol.  SSL protocol is used in many applications requiring encrypted data traffic between a user’s computer and a server.  Examples would be HTTPS, or the secure HTTP protocol commonly used in most applications requiring encryption such as online banking, Facebook and other social networking sites, webmail systems and many more.

The flaw existed for about two years but was just discovered earlier in April 2014.  In fairness to the programmer and peer reviewers, the bug is a subtle bug that don’t really become obvious as a bug until it is in production and many users are using it.  It was discovered independently by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security.

It is called Heartbleed because the bug existed in OpenSSLs implementation of  the SSL protocol’s heartbeat extension.  In computer applications, heartbeat is the general term of the method done by an application to inform other applications or users of that application that the application is still running.  When the heartbeat data exchange it done, it is possible for an unauthorized user to fake the length of the data that it needs and the server simply return that full contents of the memory location that contains the data.  The exploit can happen because the memory location data that can be captured can contain the unencrypted version of the data exchanged within the SSL protocol.

While potentially catastrophic, it will take a bit of effort on the part of the exploiter to capture usable unencrypted data because the contents of a memory location could change randomly.  Also, the vulnerability also exists only on a specific version of the OpenSSL 1.0.1 through 1.0.1f (inclusive).  I checked the servers I’m using and fortunately I  used an older version of OpenSSL.  Many commercial websites use other implementations of the SSL protocol so they wouldn’t be affected by the bug.

To be safe though, it is advisable to change passwords of all your online accounts AFTER the owner of the website confirms they have updated OpenSSL on their server if they use that.

Submit a Comment