The biggest bug in recent history: Heartbleed

heartbleedHeartbleed is a bug that was recently found on OpenSSL, which is basically a piece of open-sourced software used by websites which offer encrypted logins (the little green lock on your browser). If you routinely visit banking, email, and some social media sites, you have seen this lock and assumed that you are safe when you put in sensitive information. That is basically the idea behind that icon on your browser – the information is secure and encrypted and only you and the trusted server at the other end can see it. During your surfing session, your browser may send a heartbeat message periodically to the far-end server to ensure that the connection remains open. This is basically the portion of code that has the bug and it is interesting to note how this bug can be exploited because it is not like the typical type of attack a user might be warned about.

A web user is usually told to avoid surfing banking sites using untrusted or questionable hotspots or internet cafes. Also you are told not to trust someone else’s computer because it could have a virus that could grab your keyboard strokes. Out of these two warnings the second is the most important one, but easy enough to avoid. If you are at a public internet cafe, there are still mechanisms in place to protect you even from packet sniffers or man-in-the-middle attacks (where you inadvertently connect to a middle man impersonating your intended website). Encryption protects you from packet sniffers and a website’s Certificate protects you from a man-in-the-middle attack. A valid certificate is what turns on that green lock on your browser. The information provided by Heartbleed can offer a hacker the necessary information to perform these attacks easily without a user realizing it.

To get this information, a hacker performs an SSL connection to the target website just as you would. They then write a script that sends the SSL heartbeats to the target. Instead of sending the two-byte packets which are part of the specification, the hacker sends the two byte data along with a 64KB payload length variable. Because of the bug, the server never checks the payload length variable and because of this, allocates that amount of memory for your two bytes of data. The extra space is the memory leak information that is invaluable to the hacker. As part of the heartbeat protocol, the server replies back but instead of just sending back your two bytes, it sends back 64KB of information from its memory.

So what is in this memory and could this have any of your information? It could if you have visited the site recently. Your credentials along with other types of juicy stuff could be in there. The crown jewel would be the server’s private key which is also stored in the same memory space and is also a candidate in this memory leak. With the private key, the hacker can now decrypt any and all past and future communications to this server. With the private key, the hacker can now impersonate the website and you would never receive a warning from your browser, you would get a green lock even when visiting the hacker’s website.

This is why the steps to fix this problem are the following: the website admins have to patch OpenSSL to stop the memory leak, they have to get new certificates with new keys (their existing private keys might have been compromised), and finally they have to ask (and likely force) all users to change their passwords. By the way, OpenSSL has an estimated market share of over 66%. That’s a large part of the Internet, and that is why this bug is such a big deal.

 

Leave a Reply