Heartbleed - The OpenSSL Vulnerability
- AuthorAndrew Gray
You may have read about a significant security issue that has been reported in mainstream media recently: http://www.bbc.co.uk/news/technology-26935905
If you are interested in such things, as we are, it’s a fascinating story and a reminder of how security isn’t something given by God but rather the product of careful programming which is only as good as the stress-testing that it is exposed to.
Here’s a summary of what happened and how it might affect you.
OpenSSL is code to provide support for SSL/TLS which is the security and encryption layer used in secure web sites and a lot of other things including some VPNs, email, chat clients, etc. Two versions of it are in common and very wide use, v0.9.8 and v1.0.1, and these are used by free/open source programs like the Apache web server but also in closed source commercial programs and a lot of software-as-a-service sites.
The newer version, v1.0.1, has been found to contain a very serious bug that allows an attacker to read arbitrary memory on a vulnerable server without leaving any trace that they have done so. This memory could contain anything to do with the server's operation and has been proven to be able to result in the disclosure of important stuff like user names and passwords and, much worse, the private cryptographic key protecting the encrypted link. The older version, v0.9.8, is not affected.
Security researchers found the problem recently and, following the usual "full disclosure" rules for such things, informed vendors of the problem before making it public so that fixed software was available quickly.
The announcement was made late on Monday 7th April with most vendors having fixes available shortly after. The gap between fixes being available and being applied was around 5.5hrs in our case.
The Impact generally?
The impact generally is difficult to judge as currently nobody knows if the bug was being exploited before it had been found by the researchers. It’s entirely possible that nobody was exploiting it before then.
However, now that it has been reported it is most definitely being exploited so anyone who has not applied the fix is most definitely at risk.
Of course there is a small possibility that it's been widely exploited for the whole 2 years that the bug has been 'in the wild' and that SSL/TLS is compromised for large portions of the web, including high profile sites like Yahoo and maybe even your bank. The worst-case scenario is that the bug has already been used to obtain the private cryptographic key which secures any particular server. The private-key when combined with the public-key would allow them to eavesdrop on secure communications – a pretty scary prospect particularly if you are a bank.
If things are as bad as they could be, everyone will need to generate new keys for their servers, get new certificates and have all their users change their passwords. There may be some serious cleaning up to do if personal details have 'escaped'. The global certificate authorities may need to revoke their certificates leading to a wholesale replacement of the web's security infrastructure.
This could be very bad ... but right now we don't know how bad.
- This is a major issue that affects a very large percentage of sites that run secure https:// communications.
- At present there is no evidence that the vulnerability was being exploited by anyone before it was fixed.
- To be on the safe side, we have renewed the keys used for https:// communication
To finish on a bright note, this is actually a great example of the power of open systems. A vulnerability was found, it was reported widely and fixed within a very short timeperiod due to the collective efforts of developers all over the world. I for one, have much more confidence in this system than its commercial alternatives.