By now, even acquaintances at the barber shop know about Heartbleed. However, it's important to understand just what Heartbleed was so that you're prepared for any similar bugs in the future.
Ever since Heartbleed – what we've come to learn as a critical OpenSSL bug – started compromising servers in early April, the entire Web was sent into a panic. What’s Heartbleed? Has it stolen my data? What should I do to stay safe, or fix the problem if I’ve already been attacked? (Hint: Re-evaluate your passwords.)
Unfortunately, all that panic lead to was mass confusion – and that’s never good. Here’s a quick run-down of the most common questions and misconceptions about Hearbleed. Don’t bleed – just read, so that in the future, you'll know how to approach similar bugs in real time.
#1: Heartbleed is a virus – right? WRONG. Heartbleed is a bug – an unintentional programming mistake that took a turn for the worse. It’s not a virus (a piece of deliberately malicious code, designed by a deliberately evil hacker). Heartbleed isn’t a Frankenstein monster, built in a lab – it’s more like Godzilla, a mutant beast created by radiation. (If Godzilla were a built-in vulnerability in the TLS heartbeat mechanism of OpenSSL, that is.)
#2: How does Heartbleed work and what does it do? Computers (clients) send periodic “heartbeats” to the server in order to stay connected (a bit like radar pings). The Heartbleed bug compromises these beats, allowing attackers to retrieve large chunks of random memory (up to 64kb) directly from the server. This way, cyber-criminals can lift sensitive data from the server without leaving any traces.
#3: Is Heartbleed a Man-in-the-Middle attack? No, it has nothing to do with MitM. However, hackers using the Heartbleed bug can potentially obtain the SSL encryption key and use that key to set up a fake website. Attackers could also decrypt the traffic passing between the server and the client (a perfect man-in-the-middle attack).
#4: Who’s vulnerable: clients or servers? Actually, both: since TLS heartbeats can be sent from client-side or server-side, hackers can target either end of the connection. Around two-thirds of the world’s servers, including sites, email and IM, have currently been affected by Heartbleed.
#5: Can Heartbleed affect smartphones? Sadly, yes. (This is a great example of client-side attacks.) Apple’s iOS products are currently unaffected, but some Blackberry products are vulnerable, as is the Android 4.1.1 Jellybean. Google has created a patch for the affected Android versions, but it make take a while for manufacturers and wireless carriers to deliver the update.
#6: Whose fault is Heartbleed? Since OpenSSL is an ongoing project for multiple un-paid developers, it’s hard to blame any one person. However, a German developer named Robin Seggelman – the one who first introduced the “heartbeat” concept to OpenSSL in 2011 – says he “missed a variable” while designing one of the new features. The problem went undetected for more than two years.
#7: What other devices might be vulnerable to Heartbleed? Anything that runs on OpenSSL – smart TV sets, routers, medical devices, IP phones – could potentially be affected. Industrial Control Systems-CERT has warned critical infrastructure players (energy, utilities or banking providers) to beef up their security systems.
#8: Who’s been tapping into Heartbleed? NSA has denied using the Heartbleed bug to gather information over the past two years. (Use your own judgment about trusting them.) However, any hacker or cybercriminal can potentially exploit the flaw, which is why security is so important.
#9: What can I do to stay safe? Change all your passwords, for starters. (We’ve written a how-to article here.) Then use the following resources to see if any of the sites you visit are vulnerable to Heartbleed:
https://filippo.io/Heartbleed/
http://seguranca.adtsys.com.br/
http://provensec.com/heartbleed/
https://sslcheck.globalsign.com/en_US
To protect yourself while using Chrome, add Chromebleed to your browser. The Bluebox Heartbleed Scanner on Google Play will help you determin if any of your Android devices have been compromised.
#10: What are some final tips?
Make sure you enable two-factor authentication for all your passwords.
If your SSL service is vulnerable, upgrade your version to 1.0.1g and get a new certificate. And finally – don’t panic. Heartbleed is a nuisance, but it’s not the end of the world.
For more tips on staying safe after Heartbleed, read our article here.