Earlier this week security researchers announced the discovery of a security flaw which affects more than two-thirds of all the websites on the internet. Heartbleed could be one of the most serious cybersecurity discoveries in recent years, but what is it, who does it affect, are cybercriminals exploiting it and how can it be fixed?
Here is out complete guide to the Heartbleed Bug:
What is Heartbleed Bug?
To fully understand the Heartbleed security flaw, we first need to look at the a few of the technologies which underpin securing our online communications.
What is SSL?
SSL (which stands for Secure Sockets Layer) is the technology behind the little green padlock symbol you see in the URL bar of your web browser when visiting sites such as Gmail, Yahoo or Facebook.
SSL encrypts data being sent to and from the sites which use it meaning anyone looking to spy on this information will only see a random string of code which they will be unable to decipher.
[Note: TLS (Transport Layer Security) is the successor to SSL, but for the simplicity's sake, we'll use SSL in this article, though you can think of them as interchangeable.]
What is OpenSSL?
OpenSSL is an open-source implementation of the SSL protocols. According to the latest statistics from NetCraft, more than 66% of the active websites on the internet rely on OpenSSL to encrypt their communications.
So, what is Heartbleed?
Part of how SSL works is that it allows one of the computers involved in the data exchange to ping a message - known as a heartbeat - to the other computer to check if it is still online, and receive a message back.
Researchers discovered that it is possible to send a specially-crafted, malicious heartbeat message to the second computer to trick it into giving up sensitive information. This is what has become known as the Heartbleed flaw - officially known as CVE-2014-0160.
Who discovered Heartbleed?
Heartbleed was first discovered in parallel by security company Codenomicon, who first reported it to the OpenSSL team, and a Google researcher called Neel Mehta.
Both worked with the OpenSSL team on a fix before revealing the security flaw publicly in order to limit the fallout.
What can Heartbleed allow hackers to do?
By sending a malformed heartbeat message, cybercriminals can trick a computer into sending them part of the information stored on the system's memory, known as RAM.
A single attack will only return 64 kilobytes of information, but the attack can be repeated ad nauseum until the attacker gets the information required.
What information could attackers steal with Heartbleed?
Effectively they could access any information being sent to or from the computer they are attacking, meaning anything from sensitive personal information sent in emails to banking and credit card details could be at risk.
Likely of much more interest to hackers will be the private encryption keys websites use on a daily basis to encrypt and decrypt information. With these, hackers will be able to access encrypted communications on that site even after the Heartbleed bug is fixed.
By using pattern matching techniques hackers will be able to quickly sort through the information they retrieve.
How do I know if I'm being attacked?
Unfortunately, this attack leaves absolutely no traces so it's impossible to know if you've been targeted.
Are cybercriminals already exploiting Heartbleed?
Again, because it is impossible to detect, it is impossible to say for certain if cybercriminals are actively exploiting this vulnerability - but considering how easy it is to exploit and how many services are vulnerable, you should expect that cybercriminals are already using it.
Who is affected by Heartbleed?
OpenSSL is used by open source web servers like Apache and nginx, which, according to the latest figures from NetCraft, power more than two-thirds of the active sites on the internet.
"OpenSSL is also used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software," Codenomicon says.
However, many of the bigger companies (such as Google and Microsoft) along with financial institutions have been using their own encryption standard for a number of years so are therefore unaffected.
The most high profile service identified as being affected so far is Yahoo. Former LulzSec hacker Mustafa al-Bassam has put together a list of the top 1,000 websites affected - though some of these websites have now been updated.
Security researcher Filippo Valsorda has developed an online test that allows anyone to find out whether a server is vulnerable to being attacked, simply by entering the server's hostname.
What can I do?
As a web user, not much. The problem is with the servers which power the websites you are visiting and so it is up to them to fix the bug.
The one thing we can do as internet users is change the passwords we use for email and banking services, because even if the likes of Gmail wasn't affected directly, if you use the same password for any other online service (something you really shouldn't do) then your email or online bank accounts could be at risk.
How can Heartbleed by fixed?
The fix for Heartbleed is relatively simple, all websites need to do is to update their systems to make sure they are running the latest version of OpenSSL.
As you would expect, all of the major online players like Facebook, Yahoo, Google and Microsoft have all come out to say they have assessed any impact on their services and moved to address it.
while updating to the new version of OpenSSL is the minimum websites should do, it is also highly recommended they issue new security keys, so that cybercriminals who may have stolen them while the site was vulnerable don't have an easy backdoor back into the site.
The big problem with Heartbleed will be with smaller websites whose administrators may not even be aware of the problem and won't update the OpenSSL library they are using - leaving them open to continued attacks.
Unfortunately it is relatively easy for hackers to search for websites using an older version of OpenSSL and target them.