24 Apr Heartbleed – Looking back
By now, everyone has heard of the dreaded Heartbleed exploit, and I have received my fair share of customer calls asking for more information. “Are we vulnerable?”, “Do I need to reset all my passwords?”, “What do I need to do to my website?” the list goes on. First and foremost, to our existing clients – ThinkProfits.com was never using the vulnerable version of OpenSSL, so none of our services were harmed by Heartbleed.
Let’s start from the beginning. Heartbleed is an exploitable vulnerability that is present in a specific version of OpenSSL, the software that most servers use for hosting SSL server certificates. It is estimated that 17% (half a million) of internet servers were affected, making Heartbleed the largest internet security bug that has ever been reported to date. This nasty little hole allowed multiple attackers to steal personal information from governments and the private sector alike. Just last week, the CRA reported that 900 social insurance numbers were stolen from such an attack.
So what is Heartbleed and where did it come from? Heartbleed is a play on words and was coined by Codenomicon, the security company who first discovered the vulnerability. When you are connected in an SSL session (when your web browser is connected to a secure site) there is a lot going on in the background. The server needs to keep track of all of its sessions, and it needs to ensure connectivity. It accomplishes this through a mechanism called a “Heartbeat.” Basically a “pulse” or code words which are sent back and forth to ensure that whoever is listening on the other end is the correct person. This is where the problem lies. In OpenSSL 1.0.1, this process was compromised and allowed attackers to request a larger response than the originating request. Think of it like a game of “Marco Polo” played by children. One child yells “Marco” and the others respond “Polo.” This is the same concept, where the attacker yells “Marco” & whispers “+500 characters” and the server responds “Polo +500 characters of other peoples’ data” allowing the attacker to record your information.
Even though the dust has now settled, the total reach of Heartbleed is still unknown. It is safe to say that during the frenzy between its release and the official repair, most internet citizens had accessed a system that was affected. It is always good to take precautionary measures after a security breach. We recommend that you reset all of your passwords, not just online ones, as it has become common that passwords are reused for different purposes.
Despite the breach, security certificates are still very important for day-to-day operation of the internet. We highly recommend that you have one for your site. Google believes that it is so important, that they provide an SEO bump for sites that do have SSL certificates installed to protect the end user’s privacy. If you need more information on Heartbleed or obtaining an SSL certificate please let us know.