The Heartbleed Bug
The Heartbleed bug has been making news for quite some time now. Announced in April 2014, it has been identified as one of the biggest security loophole in the OpenSSL technology. OpenSSL technology is an open source library which provides implementation of the SSL (Secure Sockets Layer) and TSL (Transport Sockets Layer) protocols and is mainly used to encrypt web communications. Heartbleed makes the sensitive information which travel using SSL or TSL protocol, vulnerable to attackers/hackers. Almost all our internet activities like web browsing, email, social media, banking etc has come at risk because of this defect identified. Let us find out little more useful information about this bug.
Why is it called heartbleed?
As stated earlier, heartbleed is a bug identified in OpenSSL which is used to encrypt communications in a secure manner over the web. OpenSSL works by checking whether a connection between 2 servers is live or not. This is called heartbleed extension. Unfortunately there has been identified a flaw in the code which implements this extension due to which it bleeds out some of the secure information from the memory like passwords, credit card numbers etc. which can be intercepted by the attackers and misused. Thus it is called HeartBleed.
Codenomicon was the first company to discover this bug and its name has been given by one of its developer (cyber security company based in Finland) — Ossi Herrala.
What all are affected by this bug?
Heartbleed is a cause for concern as it has infiltrated Internet which is a global network connecting millions and is widely used throughout the world.
Almost all our private data, passwords, web content has become vulnerable because of this security fault. It could be that the site which we are accessing has been afflicted with the heartbleed bug making our data more insecure and visible to the attackers. Internet activities such as email, web browsing, social media, shopping, payments etc. are all at risk and it largely depends on the host channels or websites to secure or apply a patch to fix this bug making the users almost hapless against it.
Many websites such as Google, Facebook, Tumblr, and Yahoo have already updated their software against this bug. However, still a large number of other websites remain to declare they are safe to be used and are not afflicted by HeartBleed.
How can we check if a particular website is affected by HeartBleed?
Developer Filippo Valsorda has developed a website, https://filippo.io/Heartbleed/, where we just need to enter the URL of the website you want to visit and see the results. Screenshot below:
Apart from this several extensions have been developed which ease out the process to find if a website is susceptible to HeartBleed. For example:
- Chromebleed – It is an extension developed by Jamie Hoyle for chrome users which displays a warning if we browse a site affected by HeartBleed. Chromebleed essentially uses the web service developed by Filippo Valsorda and displays the warning message.
- Foxbleed and Heartbleed Ext – Are few extensions available for Firefox users. Heartbleed Notifier and Heartbleed Monitor are some other add-ons available for Firefox.
Acting against HeartBleed?
The end users are almost helpless against fixing this bug on their own. All they can do is to rely on the website administrator / provider to apply the latest patches and fixes to protect their systems against this bug. However some basic measures which can be taken are as below:
- Check authenticity of the website before accessing it to make sure it is heartbleed proof.
- Change passwords regularly and as often as possible. Make them complex and make sure same password is not used for multiple accounts.
- Monitor payments, statement reports regularly and report any suspicious activity immediately to the concerned authorities.
- As it affects even cell phones, update the software with the latest patched version to make sure you and your data is safe.
However, the onus relies mainly on the website owners who need to update users of this susceptibility and fix it as soon as possible.
The revelation of HeartBleed has made it known that we are not as safe as we think and the internet which has converted itself to one of the necessities in our life needs more scrutiny and should be handled with care. Also more caution needs to be used and we need to keep an eye for vulnerabilities and any causes of concern.
As reports suggest it will still take some time for all websites to declare their acknowledgement of this loophole and update themselves against it. Till then we can only hope that it gets fixed as soon as possible and we are lucky enough not be caught in it.