Heartbleed in a heartbeat

Two days ago a critical bug in OpenSSL was reported by Codenomicon. The bug, termed Heartbleed, enables an attacker to eavesdrop on secure communications using various versions of OpenSSL.

OpenSSL is the most popular open source cryptographic library in use today. The Heartbleed bug capitalises on a flaw in OpenSSL’s implementation of the TLS “heartbeat” extension. The flaw has been around for the past two years, and exposes all sensitive data in system memory, such as login details, emails, etc.

It is relatively easy to carry out this attack, and it leaves no trace – no sign appears in the log files. In addition to eavesdropping on data in memory, the encryption keys can also be stolen.

Filippo Valsorda created a tool – the Heartbleed Test – where anyone can check whether a website is vulnerable to this bug. Some of the websites vulnerable to this bug are listed here.

Administrators need to update to OpenSSL 1.0.1g which has a fix for this bug. They also need to replace encryption keys that may have been compromised. Users of compromised sites need to change their passwords after the server-side fixes have been implemented. Changing passwords before server-side fixes is pointless – organisations need to notify their users when the server updates are complete and advise customers only then to change passwords.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: