Security researchers have discovered a critical vulnerability in recent versions of OpenSSL, a technology that allows encrypted communication between millions of websites and their visitors and is being used by approximately two-thirds of the world’s web servers. The vulnerability has been in existence for two years, but has not been found until yesterday.
To add to the situation, an exploit was released that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that the site uses to encrypt and decrypt personal data.
What does this mean? Any website that has been keeping up with the OpenSSL updates has a vulnerability which allows an attacker to retrieve as many 64k chunks of memory as necessary. The block of memory could contain private and critical information, like passwords and encryption information that could allow the attacker to decrypt private information and communications (to and from the server).
With the server’s information and credentials an attacker could impersonate the server or perform a man-in-the-middle attack.
Just over one month ago Apple’s iOS and OS X operating systems were found to have a vulnerability in their implementation of SSL verification. The major security flaw allowed hackers to intercept email and communications that are supposed to be encrypted. The company fixed the issues with iOS version 7.0.6 and OS X version 10.9.1.
Hopefully, companies and organizations running vulnerable versions of OpenSSL will ask their users to change their passwords, and the companies should upgrade their machines and servers to the latest version (OpenSSL 1.0.1g), which patches the bug.
Here is a quote from OpenSSL’s news page:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <firstname.lastname@example.org> and Bodo Moeller <email@example.com> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g.
The researchers said even after vulnerable websites patch the OpenSSL bug, they may still remain vulnerable to attacks. The risk comes from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Recovering from the vulnerability, which has been out for the past two years, may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Companies are not able to rule out the possibility of being attacked because the exploit leaves no trace.
The biggest concern for users are websites that have their payment and personal information. Users are encouraged to change their online passwords on sites which have any personal or payment information, including online banking, Amazon, and any other online retailer you may use.
Several websites, including your bank’s site, may not be affected by the bug, however, it would not be a bad idea to change your password. If you are not already using one, I recommend using a password manager like PasswordBox or 1Password to create and store your long and secure passwords. A good secure password is one that is long and consists of characters, numbers, and symbols. A general tip: If you have a lot of passwords and can remember them all, they probably aren’t very secure.
Since iOS makes up the majority of mobile web usage, users should be a bit more careful and more aware of the possible consequences when entering personal or payment information online.
SSL Labs has updated its SSL Server Test to allow visitors to test whether a site is vulnerable to the Heartbleed bug. A couple of vulnerable websites (at the time of this post) are Yahoo, Flickr, Stack Overflow, and Steam’s Community page.
I encourage everyone to watch Steve Gibson’s in depth explanation of the bug on TWiT’s Security Now show, which starts around the 44 minute mark.
[via Heartbleed (Image Credit)]