Article Lead Image

What is Heartbleed, the bug that’s leaking your data?

File this under "complicated but important."

 

Fernando Alfonso III

Tech

Posted on Apr 8, 2014   Updated on May 31, 2021, 12:34 pm CDT

Players for the University of Kentucky and the University of Connecticut basketball teams weren’t the only ones sweating the big one Monday night.

Web server administrators are scrambling to address a new bug affecting the security of the Bitcoin business community, the FBI, and millions of websites around the world, including Yahoo and Tumblr.

Dubbed the “Heartbleed bug,” the flaw affects roughly two-thirds of the entire Web, and makes it possible to swipe “usernames, passwords, instant messages, personal emails, transactions and sensitive business information” from servers powering the Internet, cybersecurity firm CNW Group reported.

Here’s what you need to know about the Heartbleed bug, how you can find out if you’re affected, and how to fix it.

What exactly is the bug?

The Heartbleed bug is a vulnerability in OpenSSL, a widely used open-source cryptographic protocol that enables Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. The flaw in OpenSSL potentially allows attackers to access private information that should be tightly protected.

(The bug’s technical name is CVE-2014-0160 and specifically deals with OpenSSL’s implementation of the heartbeat extension.)

SSL is a popular security technology that creates an “encrypted link between a web server and a browser,” info.ssl.com states. SSL is used by millions of websites in order to protect data exchanged through websites and servers. This is done through a SSL Certificate.

“An SSL certificate is a bit of code on your Web server that provides security for online communications,” thawte.com states. “When a Web browser contacts your secured website, the SSL certificate enables an encrypted connection. It’s kind of like sealing a letter in an envelope before sending it through the mail.”

TLS is similar to SSL in that it is used to protect Internet communications and ensure “that no third party may eavesdrop or tamper with any message,” SearchSecurity states.  

You can tell when a website uses TLS or SSL when a small lock appears on your browser’s location bar, or you see “HTTPS” in the URL.

For those of you with a bit more technical savvy: The Heartbleed bug affects OpenSSL versions 1.0.1 through 1.0.1f. According to PC World, the bug specifically affects the following operating systems: Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

Skillful manipulation of the vulnerabilities can allow an attacker to read small chunks of the computer’s memory. By assembling and analyzing several of those chunks, an attacker can obtain private information.

Is this bug new?

The Heartbleed bug has actually been around since 2011, “meaning critical data on a large portion of the Internet has been openly available for years,” Coindesk reported. It is unclear whether this vulnerability has ever been exploited.

The bug was recently “discovered” by security professionals at Codenomicon and Neel Mehta of Google Security, which is why it’s suddenly a big deal.

How do I know if I’ve been affected?

Italian programmer Filippo Valsorda has created a handy tool called the “Heartbleed Test” for people to insert the hostname of their server to see if it’s been compromised. 

More importantly, it is imperative that you change all your passwords. Yes, all of them—it’s prudent to assume every password used for the past two years has leaked into nefarious hands.

How can I fix this?

In most case, you won’t have to—that’s the job of Web server administrators. If you wear that hat and still feel in over your head, Codenomicon says the best solution is to install the latest version of OpenSSL or “recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.”

Note: This story has been updated with additional contextual information concerning Tumblr and Yahoo vulnerabilities, and with advice about changing passwords.

Illustration by Jason Reed

Share this article
*First Published: Apr 8, 2014, 1:43 pm CDT