Just how bad is Heartbleed?

OpenSSL may not be first thing one thinks of when surfing the net or sending emails but the discovery of ‘Heartbleed’, a security bug that has compromised this core encryption architecture of the internet, is about to cause a lot of grief. The sensitive information that we thought was protected isn’t so safe after all, and hasn’t been for a couple of years.

OpenSSL is the open source implementation of SSL (Secure Sockets Layer), which is an encryption protocol that protects us when we visit sensitive websites and keeps web communications secure.  

A lot of leaks

Heartbleed was discovered by researchers with Google and a small security firm Codenomicon, and as far as security bugs go it’s a big deal. The information security sector has a reputation for hyperbole but the sheer scale of the problem is about to make life decidedly uncomfortable for many on the internet.

According to Ty Miller, founder and CEO of infosec firm Threat Intelligence, there may be up to 117,000 vulnerable web servers using a vulnerable version of SSL.

Miller adds that the actual number of vulnerable systems will be far greater since this number does not take into account other SSL protected systems, including email servers, chat servers, DNS servers.

OpenSSL powers encryption for two-thirds of web servers globally -- it’s the default cryptographic library used in Apache and nginx web server applications, present on a wide variety of operating systems, e-mail and instant-messaging clients.

It’s also embedded in routers and wireless access points via Linux web interfaces. 

That’s a lot of leaks and a lot of unlocked doors for attackers.

According to the researchers, the vulnerability entered the internet via versions of OpenSSL released between March 14, 2012 (OpenSSL 1.0.1) and prior to April 7 this year (OpenSSL 1.0.1g). These updates included a vulnerability that allows an attacker to connect to an SSL service (web server, email server, chat server, etc) and force it to leak data from memory.

It’s not a lot of data -- just 64KB -- but attackers can capture anything that happens to be located within that 64KB memory segment, including usernames and passwords.

The bad news is that ‘Heartbleed’ let’s an attacker keep coming back for more, essentially scraping the memory for more data. And it gets worse: almost all of this activity is untraceable.

Losing the crown jewels

The vulnerability also allows an attacker to capture the "private SSL key", which is used to decrypt SSL communications.

“This private key is how web browsers determine whether to display the green lock to show that the website is trusted. If this private SSL key is stolen, then the attacker can masquerade as your website and they will be trusted by every web browser and email client around the world,” Miller says.

‘Heartbleed’ has been resident in client servers for around for two years and there’s no information on whether hackers have picked up on the bug prior to its recent discovery. One thing we can be sure of is that with the details now out in the open, ‘Heartbleed’ is going to be the harbinger of a significant uptick in the hacking activity.

For now, average users will have to wait until the sites they use patch their OpenSSL and issue new certificates.

According to Miller, the most likely victims from a consumer perspective will be those running Mac OS X or Linux since they are more likely to be running software that uses OpenSSL.

“Realistically, consumers won't be the direct targets since there are an enormous number of SSL servers on the internet who will become the first victims,” Miller says.

For larger organisations, the first step will be to upgrade OpenSSL to the latest version, followed by considering whether the SSL certificate should be revoked and replaced with one that hasn't been breached.

High risk systems would have to look into forcing a change of passwords for all users of the system and terminate all active sessions.

However, spare a thought for the small to medium business operators, many of whom will have little guidance on whether they have been compromised, and face a substantial cost impost in regenerating their private keys and certificates.