Sunday, April 13, 2014

What Is the OpenSSL Heartbleed Bug and Why Should You Care?

As a regular Internet user, you expect the background of the Internet to just work. Everything that goes on behind the scenes, all the encryption, all of the handshakes, and every little transaction should be able to provide you with a safe way to communicate and do your business online without having to worry about hackers prowling at your every move. Unfortunately that’s not how the Internet works, and the OpenSSL “Heartbleed” bug is definitive proof of this. There are some things you should know about this bug because, in all likelihood, it pertains to you more than you think.
OK, so I mentioned OpenSSL twice and didn’t even explain it to you. Do you see the little lock icon next to the “https://” on your browser when you enter “secure” sites? It looks something like this on Google’s Chrome web browser:
opensslbug-paypal
When you see that, you’re using a special form of encryption known as secure socket layer (SSL) or transport layer security (TLS). To provide services with this encryption, you need an algorithm that will provide the encryption/decryption for the packets you exchange with the server. This means that they need to have a way to translate your text into unreadable gibberish and then translate it back from that into the readable form on their own end. Using this technology, if a hacker somehow manages to interfere with your connection to the server, all he’ll read is a long string of babble.
Now, we get to the part (finally) where we explain what OpenSSL is: It’s a free and open-source implementation of SSL/TLS protocols. With this technology, anyone can provide encrypted services to you. Many companies you have accounts with may use OpenSSL to encrypt your data.
But what if OpenSSL has a bug that completely defeats the purpose of encryption?
opensslbug-heartbleed
On April 10, 2014, the folks at PerfectCloud, an identity security company, have reported on a massive hole in OpenSSL’s coding known as the “Heartbleed” bug. For two years, we haven’t seen a new version of OpenSSL, and during that time it had a problem in its code which exposed a bit of server memory. This memory chunk could contain the private keys that are used to encrypt/decrypt data. Ouch!
What this means is that a hacker could discover the server’s cryptographic keys and simply decrypt everything you send to it, including your username, your password, and everything else that’s important and dear to you.
The bug was fixed on April 7th, 2014, but that doesn’t mean that everyone’s followed through with an update to their implementations of OpenSSL. Major Internet companies like Amazon and Yahoo have taken care of the issue, but that still doesn’t mean you’re in the clear! A hacker could have your username and password on a list right now ready to be used to try to access any other accounts you may have elsewhere.
So, even if a company upgrades to the latest OpenSSL implementation, you’re still at risk for previous exposures. However, if there are any further hacking attempts, they won’t succeed. What you can do in this situation is change your password everywhere. Don’t let it wait. Just change everything so that you’re prepared if a hacker ever decides to try out your accounts.
This bug simply shows how delicate and interwoven the Internet is. Despite its booming security awareness and unregulated awesomeness, the Internet is still the internet, and it will always be under siege. What recommendations do you have for companies that use OpenSSL? How did your understanding of security ecosystems change? Are you confused about something? Post your thoughts on anything related to OpenSSL in the comments area below!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.