By now, most of you will probably have heard of
Heartbleed, a massive security flaw that was disclosed 2 days in the popular
OpenSSL library that, for better or worse, is widely used on the internet. Although a little late, here's a basic overview of this vulnerability and how you can protect yourself from it.
What is OpenSSL
OpenSSL is an open source implementation of the
TLS protocol, a protocol designed to allow encrypted communication over the Internet. A protocol is just a set of rules that both ends have to follow in order to have a secure communication. An implementation is the actual computer program that acts according to the definition of the protocol.
Note that TLS is not the only protocol that allows encrypted communication, and OpenSSL is not the only implementation of TLS. But the fact remains that TLS is the most used protocol, and OpenSSL its most commonly used implementation.
TLS is extensively used on the World Wide Web. It's used in the increasingly common HTTPS protocol that is used by websites to provide encryption, like your bank account's webpage, or any online shop that ask you for a credit card number. If you've ever noticed a closed lock icon before inputting sensitive data, (or https:// instead of http:// in the URL), you're surfing the web using TLS.
On April 7th, a major vulnerability was announced in OpenSSL. Since this is cryptography we're talking about, every bug is potentially dangerous, but this one was particularly delicate. It allowed attackers to have access to the computer's memory, and read data they were not ever supposed to read. Data like passwords, email addresses, credit card numbers, and other valuable sensitive info.
How can I protect myself
As a web user, the first thing you need to do is to determine which version of OpenSSL you're using (if any). For instance, I think that by default Windows will not use OpenSSL. The simplest way to determine it is to run this on the command line:
$ openssl version
OpenSSL 0.9.8y 5 Feb 2013
(If you get an error, it probably means you don't use openssl in your machine)
Once you've determined which version you're running, check if it's affected by the bug or not. According to the
Security Advisory published by openssl concerning this bug, here are the affected versions:
- OpenSSL 1.0.2-beta
- OpenSSL 1.0.1 - OpenSSL 1.0.1f (inclusive, not including OpenSSL 1.0.1g)
- OpenSSL 1.0.0 (and 1.0.0 branch releases) is not vulnerable
- OpenSSL 0.9.8 (and 0.9.8 branch releases) is not vulnerable
If you're using a vulnerable version, you should either update to 1.0.1g or apply whatever security patch your package manager has published. Another way would be to compile yourself the 1.0.1g version with the flag -DOPENSSL_NO_HEARTBEATS enabled. (only do manual compilation if you're positive you know what you're doing).
In general, applying updates, particularly security updates, as soon as your package manager tells you to can only be a good idea for you. Stop postponing updating your system!
That's it? I should just apply an update?
Unfortunately that was the easy part. The problem doesn't only come from your computer, but also all the servers that are running openssl and where you may have left any sensitive data in the past. So first things first:
Change all your passwords on every service you use.
I know it's a pain in the ass. I wish there was another way. But heartbleed was such a serious matter that you have to consider that all your passwords are currently compromised.
Another component that you should consider as compromised are session cookies, so explicitely log out/log in to each of the services you use so that old cookies are disabled.
Finally, some of you might be using private keys to connect via ssh to remote locations. These "might" be compromised to. I write "might" in quotes because I just read
an article that claims that private keys aren't leaked. I'm not a security expert, and even though I understand the point the article is making, I don't think I understand enough about security to have an opinion. In doubt, I changed all my private keys, and I suggest you do the same.
Conclusion
That's it. Let me know if I can help out in any way, and please help spreading the word. The worst part about this bug is that attacks are virtually impossible to detect, so it's tough to know where this vulnerability has been exploited or not. Heartbleed is very real, very dangerous but at the same time the reaction to this vulnerability has been nothing short of spectacular. Since monday armies of sysadmins, programmers, journalists and users alike are working restlessly to fix this security hole. Heartbleed is not the first security bug of that magnitude we ever found, neither will it be the last, but at least it taught us something about
the power of marketing when it comes to disclosing these vulnerabilities.
Extra links