Categories
Computer & Network Security|Compliance>Encryption|Information Security|Research

The Heartbleed Bug

The Heartbleed Bug is a recently discovered critical vulnerability found in widely used open-source implementations of the SSL/TLS protocols, OpenSSL .  SSL/TLS is used to provide security and privacy in many internet applications such as email, instant messaging, VPN, and secure web pages.

The vulnerability was the result of an implementation problem (or a program mistake) in OpenSSL, which has left a large amount of private data exposed to the internet.  Most people are likely to be directly, or indirectly affected by this bug due to OpenSSL being the most popular cryptographic library and transport layer security currently in use on the Internet.

OpenSSL 1.0.1 through 1.0.1f are currently vulnerable to this exploit and exploitation of this bug leaves no trace of anything abnormal happening, making it very hard to detect attack.  The latest version of OpenSSL, 1.0.1g, is not affected, and we recommend upgrading to this version as soon as possible.

If you publish any secure services to the internet, you can test to see if your services are affected by the Heartbleed bug by going here:  Heartbleed Test or SSL Labs

More detailed information about the Heartbleed bug can be found here:  Heartbleed Bug and Troy Hunt.

UPDATED:  There are a myriad of websites right now explaining what Heartbleed is and how it works, so I won’t try to reproduce those, and have linked some of them above.  I do want to point out a couple of things.  It has been reported that many of the ‘site checkers’ are returning false negatives, so don’t rely solely on the checkers, but of other checks as well.

Second, there are two sites that I have found useful for seeing who is vulnerable:  Mashable lists many of the common websites for general users.  This post in github scanned the top 10000 sites in Alexa.