Nearly 70 percent of the traffic on the Internet employs OpenSSL to secure data transfers. That translates into almost all the major servers (read: websites) use OpenSSL to secure your data such as login credentials. However, someone from Google found a bug in OpenSSL – a minor programming mistake but big enough to give away your data to hackers – people willing to use your data for their purposes. This OpenSSL bug is named Heartbleed since it is closely related to some HeartBeat layers of OpenSSL.
What is Heartbleed Bug
Most of the servers accept encrypted data, decode it using the encryption keys and forward it for processing. Since most servers employ FIFO (First in First Out) method to serve end-users, often, the data (after decryption) sits in the server memory for a while before the server takes it up for further processing.
The Heartbleed Bug is a case of worry for almost all Internet-based commercial websites and some other types. This programming error enables hackers to check into any server that employs OpenSSL and read/save/use the unencrypted data (decrypted data). Hackers now do not only have the access to your data, but they can also reproduce the website certificate making the Internet, even more, dangerous place. With the copy of the website certificate, the hackers can create mimic sites: sites that look similar to original sites. With that, they can further access your data such as credit card details, personal information, etc.
This sounds scary, doesn’t it? It is – indeed – as it can access your information and that information can be used towards any end.
Note: Heartbleed also has a code name CVE-2014-0160. CVE stands for Common Vulnerabilities and Exposures. These codes related to vulnerabilities etc. are given by MITRE, an independent body that keeps track of bugs and similar issues.
Should I upgrade my Anti-Virus or something?
The Heartbleed bug in OpenSSL does not have anything to do with your antivirus or firewall. This is not a client-side issue so you can do little about it. On the other side, servers have to apply a patch to the OpenSSL system they are using. That done, the website can be said to be safer for interacting.
What you can do as a user is to reduce the number of visits to commerce and similar sites. It is not that the bug affects only the commerce sites. It is equal for all types of websites that use OpenSSL. I say avoid commerce sites for a while as they would be the major target for hackers who would want your card details etc. It means that the primary target of hackers would be e-commerce sites using OpenSSL.
Once you get a message/report that the bug is fixed, you can go ahead as you used to do before the bug was discovered. OpenSSL has created a patch and has released it for website owners to secure their users’ data. Until then, try to avoid sites where you have to give in your data in any form – even login credentials. I am sure almost all webmasters must be going in for the patch but there is still a problem. Once you are sure that there are no vulnerabilities or such vulnerabilities have been patched, it might be a good idea to change your passwords.
Meanwhile, use these browser extensions to warn you of Heartbleed affected websites.
Site Certificates copied via Heartbleed needs to be addressed
There are high chances that website security certificates might have been copied for creating malicious websites. Since the security certificates as general copies, your browsers may not tell the difference. It is you who has to remain cautious. Avoid clicking links and instead, type the URL of website in the address bar so that you are not redirected to some fake site.
This problem can be solved in two ways:
- The browsers available in the market should be made smart enough to identify copied certificates and alert you.
- The webmasters change the certificates after applying the patch.
In other words, it will take some time to implement the above even though the webmasters apply the patch. I would want to reiterate that do not click links in emails or non-reputed websites. Simply, type the URL into the address bar or if have the original site bookmarked, use the bookmark.
Excellent and accurate article; could only add EFF had an email out today in part saying TOR hidden services sites may have been compromised, which I offer as example of how easily any affected server site can suffer; and Qualys SSL Labs currently has free online SSl Server Test to check any website for Heartbleed vulnerability (of course, The Windows Club passed with their grade A!). Hope this is useful.
Thanks for mentioning the SSL Server Test. Yes, you can check any site there and The Windows Club does pass with an A. :) https://www.ssllabs.com/ssltest/analyze.html?d=thewindowsclub.com
Sorry for late comment, but just found two brand-new plugins which developers say can help people know if site they just landed on appears safe from Heartbleed or not: for Chrome browsers, new extension “Chromebleed”; for Firefox, new extension “Heartbleed -Ext 3.0”; both somewhere on browser screen will have icon/indicia which turns colors from green for safe, yellow for probably safe, and red for likely unsafe; both extensions say incorporating heartbleed assessment ideas of Filipo Valsorda (as third party). Hope this helps. In my earlier post I mentioned IIS; to be sure, this applies only to SITES on IIS; and would that more enterprises would follow The Windows Club’s style of DDoS, SEO spam, and other protective safeguards! Cheers!
Thanks for the heads up Dan. Covered here: https://www.thewindowsclub.com/browser-extensions-protect-heartbleed
Any time! There is another doodad in re Heartbleed, which I’d heard Steve Gibson praise on “Security Now!” podcasts…it’s called Calomel SSL Validation extension; but it’s for Firefox only, and where it has a few small tweaks, for a well-read average user it really just lets one know if a site/page supports Perfect Forward Secrecy…however, a few sites which pass “Chromebleed”, “Heartbleed -Ext”, and “Qualys” got “red shields” from Calomel, possibly as Calomel ignores or is disrupted by negotiating some sites’ overlaying web security. It seemed to me “Chromebleed” and “Heartbleed -Ext” gave more reliable reads, and if many are getting as many green icons as I do, use of these plugins could also help calm any hysteria about insecure commercial logins.
I heard on April 7, 2014, Microsoft announced IE 12 will finally get strict content policy settings; my wishlist includes CSRF protection which would help re Heartbleed and non-IIS sites with lax security. Cheers!