Jason Ogaard: What is Heartbleed and who named it?
One of the core reasons that the Internet has become such a great tool is the ability to use the Internet securely.
The most common way that we secure our data on the Internet is through Secure Socket Layer (SSL). SSL is an agreed upon protocol that websites and browsers use to encrypt your data.
When using a secure connection your browser first encrypts your traffic via SSL, that traffic is sent out over the Internet and is then received by the server. The server then decrypts your traffic via SSL.
If someone were to intercept the traffic between you and the server they could do nothing with it since it’s encrypted.
One of the most common implementations of SSL is called openSSL.
Remember, SSL is just a protocol, a set of rules for how it works.
SSL still needs to be implemented by the people using it.
OpenSSL is an open source implementation of SSL, hence it’s name. Being open source makes openSSL attractive for two reasons.
First, it is free for anyone to use.
Second, open source software is available for anyone to look at.
This means that potentially thousands of people can look at the source and find bugs or security holes.
Because of these advantages openSSL became popular.
Why would a website operator spend the money and time to create their own implementation of SSL when openSSL is available for free and has been audited by the open source community?
Unfortunately a rather large bug was found in openSSL recently.
Here’s how it works. When your computer is connected to a server it can ask the server if the connection is still alive, if so respond with certain criteria.
This is called a heartbeat since the server is letting us know the connection is alive and well.
A simplified example of would go like this:
Jason: server, are you there? If so please respond with blue (4)
Server: Jason, I am here, blue
If I exploit the bug in open SSL I would do something like this:
Jason: server, are you there? If so please respond with blue (500)
Server: Jason, I am here, blue username:fred flinstone password:bedrock address:143.234.433.543...
The number in parenthesis indicates the length of the desired response.
The length of the desired response should be the same as the desired response.
When I asked the server to respond with blue the length of the response should be four.
However, a couple of years ago a bug was introduced into openSSL that no longer checked the desired response length was the same as the desired response.
This means that if a hacker were to request a heartbeat from the server with a desired length longer than the actual response, you would get a list of that length from the servers memory.
This list is certainly a lot of random information, most of which is innocuous, but some of it might contain sensitive information like your username and password.
Because the attack lets the hacker get extra information during a heartbeat the bug is called Heartbleed.
The fix for this issue was a simple and it’s already been implemented. However, every individual website administrator must apply the fix.
Responsible website administrators will let you know via email that their servers were compromised and when to expect a fix. Because of the nature of Heartbleed your credentials on every vulnerable website could be compromised.
What you need to do is to wait until compromised websites on which you have an account have implemented the new fix and then change your credentials on that site.
You can visit was affected you can visit lastpass.com/heartbleed and check.
JASON OGAARD was born in Bemidji and is a software engineer for FICO, a Minneapolis based public company providing analytics and decisionmaking services, including credit scoring credit bureaus.