Advertisement
Tech

What is Heartbleed, the bug that’s leaking your data?

File this under “complicated but important.”

Photo of Fernando Alfonso III

Fernando Alfonso III

Article Lead Image

Players for the University of Kentucky and the University of Connecticut basketball teams weren’t the only ones sweating the big one Monday night.

Featured Video

Web server administrators are scrambling to address a new bug affecting the security of the Bitcoin business community, the FBI, and millions of websites around the world, including Yahoo and Tumblr.

Dubbed the “Heartbleed bug,” the flaw affects roughly two-thirds of the entire Web, and makes it possible to swipe “usernames, passwords, instant messages, personal emails, transactions and sensitive business information” from servers powering the Internet, cybersecurity firm CNW Group reported.

Here’s what you need to know about the Heartbleed bug, how you can find out if you’re affected, and how to fix it.

Advertisement

What exactly is the bug?

The Heartbleed bug is a vulnerability in OpenSSL, a widely used open-source cryptographic protocol that enables Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. The flaw in OpenSSL potentially allows attackers to access private information that should be tightly protected.

(The bug’s technical name is CVE-2014-0160 and specifically deals with OpenSSL’s implementation of the heartbeat extension.)

SSL is a popular security technology that creates an “encrypted link between a web server and a browser,” info.ssl.com states. SSL is used by millions of websites in order to protect data exchanged through websites and servers. This is done through a SSL Certificate.

Advertisement

“An SSL certificate is a bit of code on your Web server that provides security for online communications,” thawte.com states. “When a Web browser contacts your secured website, the SSL certificate enables an encrypted connection. It’s kind of like sealing a letter in an envelope before sending it through the mail.”

TLS is similar to SSL in that it is used to protect Internet communications and ensure “that no third party may eavesdrop or tamper with any message,” SearchSecurity states.  

You can tell when a website uses TLS or SSL when a small lock appears on your browser’s location bar, or you see “HTTPS” in the URL.

For those of you with a bit more technical savvy: The Heartbleed bug affects OpenSSL versions 1.0.1 through 1.0.1f. According to PC World, the bug specifically affects the following operating systems: Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

Advertisement

Skillful manipulation of the vulnerabilities can allow an attacker to read small chunks of the computer’s memory. By assembling and analyzing several of those chunks, an attacker can obtain private information.

Is this bug new?

The Heartbleed bug has actually been around since 2011, “meaning critical data on a large portion of the Internet has been openly available for years,” Coindesk reported. It is unclear whether this vulnerability has ever been exploited.

The bug was recently “discovered” by security professionals at Codenomicon and Neel Mehta of Google Security, which is why it’s suddenly a big deal.

Advertisement

How do I know if I’ve been affected?

Italian programmer Filippo Valsorda has created a handy tool called the “Heartbleed Test” for people to insert the hostname of their server to see if it’s been compromised. 

More importantly, it is imperative that you change all your passwords. Yes, all of them—it’s prudent to assume every password used for the past two years has leaked into nefarious hands.

How can I fix this?

Advertisement

In most case, you won’t have to—that’s the job of Web server administrators. If you wear that hat and still feel in over your head, Codenomicon says the best solution is to install the latest version of OpenSSL or “recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.”

Note: This story has been updated with additional contextual information concerning Tumblr and Yahoo vulnerabilities, and with advice about changing passwords.

Illustration by Jason Reed

 
The Daily Dot