Mass Web encryption breach: ‘Heartbleed' bug may have affected 66 percent of Internet
A new crisis emerged in the world of online security Monday when the open-source OpenSSL project released an emergency security advisory revealing that researchers have discovered a serious security flaw called "Heartbleed" in its software.
Researchers estimate that the back end of as much as two thirds of the Internet may have been compromised by the newly discovered bug.
Software designers have created different types of SSL protocols. Heartbleed specifically targets one of the most popular versions of the SSL, the open-source protocol called OpenSSL used by an estimated 66 percent of websites to encrypt sensitive user data, according to LifeHacker.
When a user logs into a website, his login credentials are sent to the server of that website. The credentials are usually not sent in plain text, but in encrypted form using an SSL protocol.
The Heartbleed security bug allows hackers to obtain the plain text of emails sent to servers using the OpenSSL protocol.
The security flaw has existed for about two years, according to researchers who discovered it. This means that black-hat hackers might have discovered it before researchers and exploited it.
Immediately after the bug was detected, the OpenSSL project released this emergency warning:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <firstname.lastname@example.org> and Bodo Moeller <email@example.com> forpreparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
As the advisory explains, the bug works by allowing a hacker to access about 64K of working memory on any server and thus gain access to data traffic.
According to Verge:
It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.
This gives an impression of just how serious the bug is. Many experts have described it as simply "catastrophic."
So serious is the flaw that Tor Project advises users: "if you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle."
That is, users are advised not to log in to vulnerable sites until they have fixed the problem. Once the site has been patched, users are advised to change their password.
However, if you must log in to your favorite website you are advised to log out as soon as you finish using the website.
Vulnerable sites include all servers running OpenSSL on Apache or Nginx, according to Verge.
Major online services affected by the bug have said they are working fast to patch up the problem.
The Huffington Post reports that websites such as OKCupid, Flickr, Imagur and Yahoo.com were vulnerable to the flaw.
But Yahoo said in a statement: "Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo home page, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now."
According to Verge, Apple, Google and Microsoft and major e-banking services appear unaffected.
Github.com gives a comprehensive list of major sites that were affected.
Developer Filippo Valsorda set up a service here to allow users test if websites they log in to regularly are vulnerable, but Verge warns the service has been found not to be 100 percent reliable because it sometimes gives false negative response.
However, when Allvoices reporter visited Valsorda’s site, the FAQ page claimed that bugs causing the false negatives have been fixed. He got an "Uh-oh something went wrong" response when he tested his favorite site.
According to the FAQ page, this could mean that the software was encountering "countermeasures, firewalls and IPS closing the connection or sink-holing it when they detect a heartbeat."
Experts advise servers to reset their certificates. Although this is a time-consuming and expensive process, it inadvisable for a compromised site to continue using a compromised certificate.