April 19, 2014

Heartbleed Bug

Author Amelia Warner

Category Blog | eCommerce |

A severe vulnerability, now known as the “Heartbleed” bug, in the popular and widely adopted OpenSSL (Secure Sockets Layer) technology has been discovered. Open SSL is the technology used to safeguard information travelling to and from millions of servers everywhere. The security scientists are investigating the security threats and the long term consequences of the Heartbleed bug.

Heartbleed Bug

CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names. The security community refers to vulnerabilities by numbers, not names. CVE-2013-0156, CVE-2014-0160, or CVE-2014-0346 is apparently the official classification for the bug.
SSL – The bug exists in the underlying structure of SSL, the industry standard for creating encrypted links between client and server. When you type “https” in a Web URL to provide a secure encrypted connection while banking, shopping or even during Tweeting, you’re using SSL. Many email providers use SSL, both for Web mail and when exchanging mail with client programs such as Microsoft Outlook. Instant messaging programs are secured with SSL, as are some virtual private networks (VPNs). So it’s a threat to all.
The bug is a serious vulnerability in the popular OpenSSL cryptographic software library. The vulnerability allows anyone to read the memory of servers supposedly protected by SSL, and reveals the cryptographic keys that allow messages to be decoded, the credentials of users, and the content. Once the keys are compromised, attackers can look at any communications unnoticed.
For more information, visit http://heartbleed.com/.

So the million dollar question is what to do?

You definitely need to change your passwords, but that won’t help until the sites you use adopt the fix. It’s also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords. Vulnerable versions of OpenSSL are to be avoided. Fixed OpenSSL version has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use. It is recommended to update the SSL libraries and renew the SSL certificates.
Other references: