Heartbleed Bug

Author Image By Sreenath Sasikumar

For most folks, an HTTPS prefixed URL is the sure sign of a protected website. “It must be safe!” They now feel comfortable using the site for all intended purposes and disclosing to the site, highly sensitive information such as banking passwords and credit card information. But if you’ve been keeping up with the latest tech news around the world, you might have heard one name coming up a lot lately: Heartbleed.

Heartbleed is a major security flaw that if exploited, will cause a web server to reveal user content. The main reason why this security flaw gained so much attention is because it’s a vulnerability that occurred in OpenSSL, an open source software, used across the globe to encrypt communications happening over the Internet. This is the main software behind all the HTTPS URL’s you see on banking websites, online file-storage systems and a host of other websites often supplied with confidential information.

Before going into the origins of Heartbleed, let’s take a brief look at how secure communications occur via the Internet.

At the core of every secure Internet communication or transaction, there is a pair of technologies called Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These two are responsible for exchanging the cryptographic keys that help the server identify an authentic user input from the browser. In simpler terms, it’s a watchdog of the secret digital handshake that guards sensitive data exchange between you and a secure website.

Technically, Heartbleed is known as CVE-2014-0160.  The name Heartbleed was coined from the SSL heartbeat, whose handling vulnerability by OpenSSL, resulted in the flaw. SSL heartbeat is an echo functionality that is responsible for verifying that both the server and the client correctly handle encryption and decryption of the transmitted data. The client requests that a number of bytes of data that it sends to the server should be echoed back.

Because of Heartbleed, the SSL heartbeat can trigger a buffer over-read, which can cause memory content from servers to leak and fall into the hands of cyber criminals. In addition to exposing the contents of the server’s memory, Heartbleed can give hackers access to a server’s digital keys. This has more severe consequences, as a hacker can make use of these keys to trick users into submitting information to bogus servers rather than the original ones. Hackers can also crack into previous transactions performed by the user with the server.

For example, if the hacker has access to the digital keys of Yahoo’s mail server and you log into your Yahoo email account, you’re opening the door for the hacker to see your username and password information. Now this cyber criminal has access to all your emails. What if that’s the case with your bank’s online banking page? Critical information could be compromised. Hackers will have access to all your financial credentials, credit card information and more.

SSL and TLS security software guards almost all secure transactions on the Internet. They include email systems, file storage and instant messaging systems to name a few. In short, hackers can exploit almost 90% of the information that you post online and don’t want others to see.

Millions of websites face the prospect of data leak because of Heartbleed, if they haven’t leaked out information already. The vulnerability is said to have been in existence for several years. This means that there’s a chance for your secret information to lay out in the wild somewhere on the Internet, open to attacks. Sites like Mashable, have compiled a list of popular sites that could have been compromised by this vulnerability.

Several top websites have already released fixes for the exposure and several more are in the process of fixing it. The real problem however, lies in the fact that it’s not enough for these sites to simply fix their servers.

Users need to update their passwords and login information immediately or risk cyber criminals still accessing their data, as these hackers now know the digital keys used by the server to authenticate user requests.

If you are a website owner, you can test whether your site is susceptible to Heartbleed vulnerability using this tool. Our engineers use this tool to cross check the sites we’re working on. As a regular user, also keep an eye out for your credit card and other statements and change all your passwords.

Heartbleed has created a massive uproar in the cyber world for legitimate reasons. Make sure to follow the latest security guidelines in your business applications and ensure protection from such vulnerabilities. Get in touch with us and allow us to develop the most secure web applications for your needs. Call 1-888-690-0060. Forward Thinking Applied.