Five Essential Facts About Heartbleed And OpenSSL
What Is Heartbleed?
The Secure Sockets Layer protocol protects just about every website in the world that encrypts data in transit. Last week a vulnerability was discovered in OpenSSL, the implementation of SSL and Transport Layer Security that's used in about two-thirds of those servers. In the days that followed, the reporting that surrounded the revelation was a stew of raw panic, hot tempers and hyperbole, with a sprinkling of misinformation. Here are some essential facts about OpenSSL, the so-called Heartbleed vulnerability, and how, why and whether it should concern the companies with which you do business.
OpenSSL includes an option for the client to keep open a connection with the server by sending a heartbeat signal. Clever hackers can exploit the open channel with requests that can "bleed" the server of otherwise protected information residing in the RAM used by that service. Vulnerable information can include user names and passwords, content of email and instant messages, primary and secondary encryption keys and other documents. The bug has been in the wild since March 14, 2012, and affects versions 1.0.1 through 1.0.1f. Versions 0.9.8, 1.0.0 and 1.0.1g are not affected.
The first thing we recommend that companies do is to check their own servers and those of clients and other companies with which they're involved. One easy way to do that is to visit filippo.io/Heartbleed, a website created by crypto-consultant Filippo Valsorda. Just enter a site's URL and click GO to test it for vulnerability to Heartbleed. It takes just a few seconds per site, results are specific and are explained on a detailed FAQ page. A partial list of commercial servers was published along with CERT's Heartbleed vulnerability report.
It's Not Just Servers
Servers are not the only devices that can be affected by the Heartbleed bug. Any device running any of the affected versions of OpenSSL are vulnerable, including PCs and smartphones. After web servers, perhaps the greatest number of affected devices are those running Android. Kit Kat systems are unaffected, but anything prior will require an update. Mashable published a list of servers affected by Heartbleed that includes Facebook, Google (and Gmail), Instagram and Yahoo. LinkedIn is not affected, and Twitter wasn't sure but has applied the patch. Fortunately, there are no banks or other financial institutions on the list.
What To Do
Codenomicon, the security software company that discovered the vulnerability along with Google Research, recommends on its Heartbleed.com website that companies running an affected version upgrade immediately to OpenSSL 1.0.1g. This version, released on April 7, fixes the bug. If upgrading is impossible or impractical, the vulnerability can be patched by removing the heartbeat option and recompiling using the switch "-DOPENSSL_NO_HEARTBEATS" at compile time. Restart any software that uses OpenSSL. Changing passwords offers limited benefit until after the patch. And since exploits leave no trace, there's no way to know if a site has been hacked.
Open Is Secure
Heartbleed is a serious flaw, but it's not a first in the annals of open source development. It is, however, an opportunity for the naysayers to rail about the dangers of having so many eyes on something that's supposed to provide security. It's an arguable point, but consider the alternative. If such a vulnerability had been found in a component made by a private company with an interest in avoiding the expense of negative publicity and liability, the world might never have even known about it. The Heartbleed bug was fixed within four days of its discovery.