Encryption security bug Heartbleed affects two thirds of the Internet, including Yahoo

Encryption security bug Heartbleed affects two thirds of the Internet, including Yahoo

by Dan Vlasic on 9 April 2014 · 3587 views

Millions of servers are affected by security vulnerability nicknamed “Heartbleed” in OpenSSL, software that encrypts the Internet. Even though an emergency patch has already been released, websites like Yahoo are going loud about fortifying their own security.

Monday afternoon, open SSL project released an urgent security note warning about Heartbleed, a vulnerability that pulls in encryption keys to the server, making use of exploits in the software, enabling operators to intercept data traffic or even impersonate the server itself.

Heartbleed enables attackers to pull 64k randomly from a specific server memory. The Verge compares it to fishing were perpetrators have no idea whether there will be any usable data in the haul, but they can perform it over and over again, and chances are they will intercept a lot of sensitive data. The particular target in the servers is private encryption keys because they are necessarily in the memory and are easy to identify among other data. This enables attackers to tap into the traffic to and from the server, and potentially decrypt past traffic stored in encrypted form.

1 full Encryption security bug Heartbleed affects two thirds of the Internet including Yahoo

About 66% of the Internet uses OpenSSL to encrypt data – passwords, user names and other sensitive information on secure websites. Websites have to install non-compromised and updated software to eliminate any possible exposure of their clients to the exploit. Millions of servers were exposed to Heartbleed.

International Computer Science Institute security researcher Nicholas Weaver said, “It is catastrophically bad, just a hugely damaging bug.”

Yahoo services may be the ones that have been affected worst of all by Heartbleed. The exploit turns out to be a two year old vulnerability, but only now it is gaining attention of public after Google researcher Neel Mehta detected it.

Yahoo had promptly updated its servers, “our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Finance Yahoo Food, Yahoo Tech, Yahoo Mail, as well as Sports, Flickr and tumblr) and we are working to implement the fix across the rest of our sites right now.”

As a result of the security vulnerability, Yahoo has been leaking user information for two years on end. All servers running OpenSSL on Ngnx or Apache are affected, making things look pretty ugly for a multitude of legitimate websites and services. According to the ArsTechnica, OpenSSL ships in a wide variety of OS and apps, including the Debian Wheezy, CENTOS, Fedora, Ubuntu, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux.

Microsoft, Apple and Google services, as well as major e-banking, hopefully, PayPal, do not appear to be affected.

Representatives of the Tor project, said in a statement, “If you want strong anonymity or privacy online, you might want to stay away from the Internet entirely for the next few days while things settle.”

Experts suggest that even patched servers may still be vulnerable since private keys could have been compromised before the patch was released. “I bet there will be a lot of vulnerable servers a year from now. This won’t get fixed,” said Weaver.

Affected websites will need new SSL certificates, which is an expensive luxury and a time-consuming procedure, yet it is absolutely necessary to purge Heartbleed. A safe SSL certificate shows the date when it was issued ever since the recent security patch was introduced.

It is advisable to change passwords on affected websites, but it won’t help much until the website security is properly bolstered.

These are really subtle bugs. You might detect it if you ran it through a memory checker, but this is not the kind of thing that just shows up looking at the code,” says Weaver.

There are online tools that can test websites for Heartbleed vulnerability, but some susceptibilities remain, varying from site to site.

Very few services have published comprehensive guides for their users on what to do about Heartbleed. Individual servers will need to be fixed manually, and some websites may not be able to repair the bug for quite a long time from now. According to the Wire, we need to treat Heartbleed “on a site-by-site basis.”

Heartbleed appears to be a major threat both in the amount of affected computers and the severity of the exploit.

Comments (5)
kshu on 15 Apr 2014
@toshi no problem, the xkcd illustration is pretty helpful, your link is much appreciated.

@dan I don't think we'll see some stats on that from major websites because releasing this kind of data will only harm users who did not change their passwords. Popups for changing passwords are all over major websites though, so hopefully the majority of people will do just that. But I just feel too optimistic Today I guess :).
toshi on 15 Apr 2014
@kshu Oh sorry, didn't notice that. Thanks for the correction.
dan on 15 Apr 2014
I wonder how many people launched changing their passwords these days?
kshu on 15 Apr 2014
@toshi nice explanation although the image is kind of low res. This is the source http://xkcd.com/1354/ which is easier to view.
toshi on 15 Apr 2014
Well, for those who don't quite understand how the Heartbleed bug works, this comic strip explains it very well:

http://i.imgur.com/KBdDBPW.png
Featured Articles