Online Security Threat - Heartbleed

"Heartbleed" is the most recent online security threat that the internet world experienced and we can say that almost everybody who is using internet is affected due to this bug and it is neccessary for everyone to at least be aware about the threat and change their passwords of online accounts they have created with other third party sites such as Yahoo, Google and Facebook.

What is Heartbleed

Heartbleed is a bug from OpenSSL Cryptographic library which is used for the encrypted communication of secured sites (HTTPS). Most of the Apache and Nginx web servers using OpenSSL, so most of the open source secured sites are affected from this bug. It seems that it was an accident and bad code by a developer of OpenSSL library which led the library to be vulnerable itself. The fault was in the functionality called as Heartbeat, so the bug was named as Heartbleed. The bug was there from December 2011 through several minor versions of 1.0.1, but there is no identified security breach to any of the sites during the 2 years and 3 months period. (http://mashable.com/2014/04/11/mashable-explains-heartbleed-2/)

What it does

It can leak up to 64K server memory per Heartbeat including your passwords, credit card details, private key details and a lot more. For an instance the client (browser or program in client machine) is communicating with server (with a secured site in that server) by sending a message to check the connection and server is sending back the same message to the client to ensure the connection or existence. Because of Hearbleed bug, it's not checking the actual message size, but will believe in the message size mentioned by the message itself. Therefore someone can send a 1K message and say it is 64K, server will return a message with size 64K with the 1K received message and other 63K from the server memory. So in this case 63K of server memory data has leaked from the server, likewise it'll leak more and more data with more and more Heartbeats.

Who is affected

Almost all those who use internet could be affected, as no one can say our server is secured and no data has been leaked. The only thing they can say is "there is no sign of a security breach in our server or site" and it's not enough as it's not ensuring the security of the data we have given to that site.

Hosting Providers

Hosting providers who are running servers on Apache or Nginx with affected OpenSSL library versions are affected.

Site Owners

Site owners who are using shared hosting from the above affected hosting providers are also affected (even though they have no SSL enabled sites). Site owners who are using VPS or dedicated servers with Apache or Nginx web server and with affected OpenSSL library versions are affected if their sites are using SSL (HTTPS).

Internet Users

Internet users who has accounts with above affected sites are also affected as the affected sites/servers may leaked their account details such as passwords, credit card details and other valuable details. 

Is there a solution

Yes, there is a new version (1.0.1g) of OpenSSL library which has patched for this bug. So if you are running on a affected version, you need to upgrade the library to latest version to simply prevent from the future attacks.

What should I do

You should take various steps to prevent any future attacks. (http://mashable.com/2014/04/09/heartbleed-what-to-do/)

Hosting Providers
  1. Hosting providers should patch their servers by upgrading the OpenSSL version to the latest if they were using an affected version.
  2. Then they should install a new SSL certificate by revoking the existing one (with new private/public keys).
  3. Finally they should change various password such as SSH, Control Panel and Server User Passwords and should ask from the clients to change their passwords as well.
Site Owners
  1. Site owners also should contact the hosting providers (if using shared hosting) or patch the servers themselves (if using VPS or dedicated hosting) to the latest OpenSSL if they were using an affected version.
  2. If the site is using SSL, install a new SSL certificate with new private/public keys.
  3. Change all passwords such as SSH, Control Panel, Database and Administration passwords.
  4. Ask site users to change their passwords of the accounts.
Internet Users
  1. Check the sites you are using were affected from the bug. (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/)
  2. If you can't find details about it better to contact the site first to verify this.
  3. Check or ask whether they have patched the servers and have installed a new SSL certificate after 7th April 2014.
  4. If they have done so, then change the passwords for your accounts with the site, no point of changing passwords before patching the servers and installing new SSL certificates.
  5. About credit card or bank details, you should keep an eye on the transactions to identify any unauthorised transactions

Useful Links