What is ‘Heartbleed’ and why does it matter?

Posted on May 1, 2014 in Internet Presence, by Al Harris

The internet has been a buzz about Heartbleed and the Fort Collins & Greeley IT support team at Technical Framework has been fielding questions about this newly discovered security flaw. This article should help you understand exactly what Heartbleed is and why it matters.

In short Heartbleed is a bug in cryptographic software called OpenSSL. OpenSSL secures web communications and this bug appears to have left roughly two-thirds of the entire internet vulnerable to eavesdropping. The most concerning thing is – other than how widespread this potential security hazard is – it went undiscovered for two years. Heartbleed has left over 60 per cent of the web susceptible for two years, making it one of the most major security problems ever.

In laymen’s terms OpenSSL is the way your browser talks to the internet in a secure, encrypted manner. The SSL part stands for Secure Socket Layer, which is a cryptographic protocol. SSL is the ‘s’ that you find in “https” – the prefix used for Web addresses that are using a secure, encrypted connection.

Heartbleed is a flaw an attacker could theoretically use to unravel the secure channels that banks, e-commerce sites, social networks and regular sites use when you are inputting sensitive information, so they can get hold of it for their own purposes. This means that any details such as passwords that you have typed in on supposedly encrypted pages with the https prefix have been potentially available to hackers for the past two years.

Heartbleed, technically known as CVE-2014-0160, allows a hacker to read any information off a Web server despite the fact that it is supposed to be specifically secured from such attacks. The bug that has caused this major security issue affects one of the OpenSSL extensions called “heartbeat”, hence the nickname Heartbleed. Heartbeat is designed to make it possible to keep the secure communication channel open without having to re-negotiate the security protocols time and time again.

The bug enables hackers to request data from a Web server’s memory. They are able to access a huge array of information including the site’s SSL encryption keys and user passwords.
Not only does Heartbleed let malicious users access supposedly secure data but it is also extremely difficult to tell when a server has been exploited, meaning that the two-thirds of the web that has been vulnerable may not even know they have been attacked.

The best way to secure yourself is to minimize any further damage to any accounts you use that contain sensitive information. This includes online bank access, social networking sites like Facebook, Twitter and YouTube, and any other website you frequently log in to. Change your passwords everywhere, even if the sites in question were not affected by Heartbleed. It’s generally a good idea to change all your passwords regularly in any case.

To find out what to do about Heartbleed contact Technical Framework, the leading Fort Collins IT Consulting firm.