Heartbleed bug

15 April 2014
Posted by Ramsey Faragher.

Ramsey, tell us about this heartbleed computer bug that was picked up and Heartbleed Bugannounced in a big way, big splash this week.

Ramsey - Yeah, it's really serious. There's this protocol on the internet called SSL which stands for Secure Socket Layer and this is a set of tools and rules for computers to talk to service and exchange information in an encrypted way. So, whenever you log in to something like Facebook or Gmail, or use your bank and use a username and a password, your computer and the service setup a secure link to exchange data in an encrypted way so no one can sniff and steal your data. Now, the problem is that a lot of websites using open SSL which is an open source version. In other words, it's free but it's maintained by people who basically maintain it for fun to provide this technology for free. There's a big question mark as to why very big, very rich organisations, using a free version of this very important tool because a few minutes before midnight new years eve 2 years ago, someone checked in some codes to the code base which had a bug in it, a very serious bug which meant that - the reason it's called heartbleed is because you can have a heart beat which is like pinging the server. You can say, "Hello. Are you still there? I want to talk to you." You send a little packet of data and the server responds with the same packet. Now, the bug that was checked in by mistake was that the open SSL software did not do a proper check on this message. If you sent a slightly illegal version of the message, it didn't check it properly, and what happened was the server responded, not only with a little, "Hello. Yes, I can hear you" but it also provided you with 64kb of some chunk of the memory of the server.

Chris - Ouch! So potentially, if someone knew how to manipulate that, they could extract bits of the memory that contained sensitive data, enabling them to then compromise that supposedly secure connection.

Ramsey - Yes, so in a very rapid nutshell, in the server's memory at that time, if you were logged in, if you're using the server yourself, then potentially, your username, your password, the secret keys that are part of your encryption would all be getting leaked to this other person. There was no limit on how many times you could send this malformed message. So potentially, over the last 2 years, malicious people who knew about this could have been regularly copying out the memories of these servers and getting hold of usernames, passwords, secret keys and the certificates which authenticate websites. So in other words, they could start then setting up fake versions of websites and you would log on to them thinking they were real and you'll browser, and all the security systems would go, yeah, the certificate is correct. This is the right version of Facebook, but it's not. Now, the big problem is, this has been going on for 2 years and the big question is, how much damage there is. And so, people should look at all of the things they use like Gmail, Facebook and so on. They should check when the dates of those service is being applied and they should then change their password.

Add a comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.