Internet researchers have found a brand new, very serious vulnerability called the Heartbleed Bug, which makes it possible for hackers to steal encrypted information from secure websites that run certain versions of OpenSSL.
This bug allows attackers to access the memory of the websites running vulnerable versions of OpenSSL software, including the secret keys used to encrypt messages sent by those websites. This gives attackers the ability to decrypt and steal supposedly secure data captured during an encrypted web session.
A Quick Review of Secure Websites (HTTPS)
Online retailers and banks use HTTPS — short for Hypertext Transfer Protocol Secure — to secure messages sent and received by their websites. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website’s traffic is secured using HTTPS.
The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the website is authentic and that all data passed between you and the website remains private.
Secure websites rely on SSL — and TLS, Transport Layer Security (a newer version of SSL) for creating encrypted sessions. TLS/SSL uses cryptographic keys contained in digital certificates to allow your browser to confirm that web servers are who they say they are. TLS/SSL then generates secret keys used to make sure the data exchanged between you and a secure website is kept private. A hacker that captures SSL/TLS-encrypted messages sees only gibberish – unless he has the secret keys used to encrypt those messages.
OpenSSL and Heartbleed
OpenSSL is an open source software package that many website developers use to perform TLS/SSL encryption. Unfortunately, due a small coding error, certain versions of OpenSSL allow any attacker to send a “heartbeat” message which retrieves small chunks of a vulnerable web server’s memory. By sending heartbeats repeatedly, the attacker can collect quite a bit of information from the server, including secret keys used by TLS/SSL.
This is a big deal, because if attackers can harvest those secret keys, they can use them to decrypt messages sent and received by that server, now or at any time in the past. By decrypting your messages, attackers can steal your website login information as well as other sensitive information like any credit card information exchanged with an online retailer website like Amazon.
In addition, this OpenSSL security flaw – dubbed “Heartbleed” — also allows attackers to see how the website is identifying itself through digital certificates. With this stolen certificate information, cyber thieves can create fake websites that look authentic to both you and your browser.
And the worst part about it is that you would have no idea that an attack had taken place because the stolen website certificate appears to be authentic.
What You Can Do to Mitigate the Risks
Luckily, not all versions of OpenSSL contain this security flaw. There are newer versions out there that have fixed this bug, and discovery of this very high-profile bug will likely trigger a rapid wave of website updates to eliminate it.
But this security flaw has been there for two years, and many websites still use vulnerable versions of OpenSSL, including (as of publication):
- Ok Cupid
- Hide My Ass
If you have an account with any of these websites, you should immediately update your login/password information. These sites will not only have to upgrade to a newer version of OpenSSL, but also change out all of the digital certificates previously issued to their web servers.
Unfortunately, there’s also no way to know if hackers used stolen secret keys to decrypt any of your account information or messages, since they would leave no trace. It’s best to assume the worst and change your logins and passwords today – not just on vulnerable websites, but on every website where you use the same or similar login/password.