Anatomy of a Broken Heart: The Heartbleed Bug, Explained

On or before March 21, Google Security researcher Neel Mehta discovered the Heartbleed bug, which affects any website using the Secure Sockets Layer (SSL) tool OpenSSL, versions 1.01 through 1.01f. On April 7, the discovery went public on the website, and the Internet exploded with dire warnings of worst-case scenarios.

What is Heartbleed, how does it work, and what can companies do to protect themselves?

One Little Mistake, One Big Security Problem

It didn’t take much to make many of the world’s most popular websites — including Google, Yahoo, Amazon and YouTube — vulnerable to malicious attacks via OpenSSL, as reported by Mashable. But to understand the reach and the potential repercussions of this bug, we need to back up.

In the beginning, there was the Secure Sockets Layer (SSL), and it was good. Next came Transport Layer Security (TLS), and it, too, was good. Together, these protocols handle the encryption keys necessary for website servers and user computers to safely communicate.

OpenSSL evolved as a set of open-source tools that let developers easily integrate SSL/TLS functionality into their websites or web applications. Major Linux deployments, such as Debian, Suse and Red Hat, use OpenSSL, as do popular server platforms Apache and Nginx.

So what went wrong? According to Engadget, version 1.01 of OpenSSL, which was released on April 19, 2012, had a small flaw in its “heartbeat” function. Heartbeat is like a call-and-answer for user machines and web servers: When you access a website, your computer sends out a heartbeat request to the server. It responds, and your computer knows the server is listening and ready for your request.

The Heartbleed bug — superbly explained by this XKCD comic — happens when the requesting computer asks for extra information, causing the server to spit out up to 65,536 bytes of memory. The result? Not only do you get the response you wanted, but you get a host of other — theoretically protected — data as well.

Heartbleed’s Impact on the Web

Initial reports stated that up to 60 percent of all Internet servers had the Heartbleed bug, but that estimate has since been downgraded to 17.5 percent or less. But even with less than one-fifth of the World Wide Web compromised, the bug could have major impact.

Theft of personal data is one problem. The Canada Revenue Agency reported that social insurance numbers (SIN) belonging to 900 Canadians were stolen, thanks to Heartbleed. Much like Social Security numbers, the SINs could be used to create fake credit card accounts or obtain fake identification.

In addition, companies are now grappling with the problem of SSL certificates. Using Heartbleed, hackers can steal and spoof the identity of trusted sites, leading users to provide personal information under the guise of security. But as a recent Washington Post article points out, revoking all current SSL certificates and issuing new ones could force web browsers to download massive files just to access a single site.

What’s the Fix for Heartbleed?

On April 11, network provider Akamai, which handles nearly a third of the world’s Internet traffic, reported that it had patched Heartbleed. The company later recanted, saying a bug in the patch only addressed three of six RSA key values. OpenSSL, for its part, released version 1.01g on April 7, which fixed the toolkit’s vulnerability.

But the availability of this upgrade doesn’t mean every server is safe, so businesses must now take three steps to protect their privacy.

First, make sure your web host has upgraded OpenSSL to the latest version. Next, examine any SSL certificates to see whether they should be revoked — if expiration is near, the certificates can wait. Finally, change passwords at every level of your organization; consider password managers, such as LastPass or Dashlane, to make sure login credentials are regularly changed.

Don’t bleed out private information — get patched, change your passwords and stay ahead of Heartbleed.