Reports have recently hit the news of a security flaw in a popular encryption library that could expose usernames, passwords, and other sensitive data without the knowledge of either the sender or the recipient.
Commonly known as the Heartbleed Bug, it affects roughly half a million websites with encryption certificates issued by trusted authorities. The vulnerability appears to have been introduced in 2011 and has been known to hackers since March of 2012.
The SSL (secure sockets layer) protocol utilizes public key encryption to secure data transmitted between clients and servers in applications such as websites, instant messaging, email, and virtual private networks (VPNs). It relies upon digital certificates issued by trusted third parties to ensure that both parties are who they claim to be.
Digital certificates contain data that allow parties to determine their veracity during what is known as the handshake. During the handshake, the client and server exchange private keys which are large, random numbers used by algorithms to encrypt transmitted data. It is crucial to the integrity of an SSL communication that the private key remains confidential.
A common attack on SSL is the man in the middle (MITM) attack. The most common type of MITM attack is a hacker intercepting communications between a client and a server and then substituting them with his or her own communications. In order to do this, the hacker must spoof the certificates, something to which users of most modern applications will be alerted.
What makes an attack using Heartbleed unique is that it does not require MITM tactics, can’t be detected, and won’t leave any evidence.
Heartbleed is the result of a programming mistake in the Heartbeat extension of the OpenSSL Library used in certain applications to overcome a limitation of SSL. The mistake can be used to expose up to 64 kilobytes of data at a time.
In one Heartbleed attack scenario, an attacker continues to intercept 64 kilobyte chunks of data until he or she has intercepted the private key for the communication, giving the hacker the ability to decrypt all of the data intercepted.
While the implications of the Heartbleed bug are alarming, the scope of its impact is somewhat limited. It only affects OpenSSL, one of many implementations of the SSL protocol, and only affects two versions of OpenSSL, one of which is a beta. The affected version must also have the Heartbeat extension enabled, which is only necessary in certain environments.
According to the most recent Netcraft SSL survey, 17.5% of SSL websites use OpenSSL with Heartbeat enabled. As mentioned above, this is roughly 500,000 websites and does not include other applications where OpenSSL with Heartbeat might be used.
Perhaps the most vexing part of the Heartbleed Bug is the difficulty victims will have in determining the damage done. Since it is nearly impossible to detect its use, firms that have used compromised versions of OpenSSL will only know they have fallen victim to the attack once another attack occurs or they find confidential information has leaked.