OpenSSL Heartbleed Vulnerability
There is a new vulnerability that network security researchers have found in the internet known as Heartbleed. This bug effects OpenSSL implementations that date back to two years ago.
What is SSL?
SSL stands for Secure Socket Layer. It is an open-source set of libraries which apply cryptography to data that is sent across the internet – email, web traffic, and instant messaging all use SSL to encrypt their data. When using your web browser, if you see a lock icon in the URL bar, then the site is using SSL. By implementing authentication through the use of public and private keys, data can only be read by the parties whose private keys are trusted.
What is Heartbleed and How Does it Affect the Internet World?
Heartbleed is a memory bug which allows attackers to read the target systems memory (RAM) and extract information from it. In the RAM, there are all sorts of personal information such as credit card numbers, names, passwords and worst of all, secret keys. These secret keys are what SSL cryptography relies on for security. If the secret keys are exposed, the purpose of encryption is broken and attackers have access to “secure” channels.
Being that the vulnerability has affected OpenSSL for the last two years, there is no telling who discovered the bug and why it was not brought to the attention of the proper organizations. This means that potentially an attacker has had access to these “encrypted” connections and stealing personal data.
What Versions are Effected?
OpenSSL 1.0.1 through 1.0.1f (inclusive)
What Can You Do?
There are two things you can do to get the bug patched on your version of OpenSSL.
1. Upgrade OpenSSL to the latest version 1.0.1g which was released April 7, 2014.
2. Recompile your current version of OpenSSL with the following compile time option:
-DOPENSSL_NO_HEARTBEATS
Another very important thing to do is to change all passwords for which you’ve logged into a site with SSL, just to be safe.