Here's What You Need to Know About the 'Heartbleed' Bug That's Attacking Millions of Websites
By Jill Scharr, Tom’s Guide
Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.
The Heartbleed bug, as it’s called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site’s encryption keys, user passwords and site content.
Once an attacker has a website’s encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.
There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.
Websites that are currently vulnerable to Heartbleed exploits include Yahoo, Comixology, Flickr, Imgur and OculusVR. Many other top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.
How the Heartbleed bug works
Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption “libraries” that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.
The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.
An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server’s logs. It’s impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.
Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven’t specified when. They’ve created a FAQ page at heartbleed.com with full details.
The bug’s name refers to a handshake (process of connecting to a network) in OpenSSL’s code called the “heartbeat extension,” which sets a limit on how long an encrypted session stays valid. A coding error meant that the extension was missing a necessary verification (called a bounds check), thus giving an attacker access to additional information about the server and creating the vulnerability.
The most recent version of OpenSSL, 1.0.1g, patches the flaw, so any websites running OpenSSL should upgrade to the newest version immediately.
However, the damage has been done. Versions of OpenSSL with the bug have been in use for more than two years. If an attacker used the Heartbleed bug to get into a Web server, he would have access to the website’s “crown jewels”: its encryption keys.
With the keys, attackers could decrypt traffic to and from the server; impersonate the server so that users who think they’re visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server’s databases, including their users’ personal information, such as usernames, passwords, email addresses, payment information and more.