The Heartbleed Bug
As you may be aware a flaw in the security infrastructure of much of the internet has been recently discovered. The defect is referred to as “heart bleed” or “Heartbleed” and it is without question one of the biggest challenges
to online security to date.
In essence, the bug is the result of a coding error in the OpenSSL cryptographic library, an error that can be exploited to obtain sensitive data and potentially used to decrypt information captured previously. To make matters worse, the bug is widespread. The OpenSSL library is a very popular tool for encrypting online data. It is the preferred library for creating secured transactions on both the Apache and Nginx web servers, which together account for over 66% of all web servers on the internet. It is also used for some mail servers and some types of VPN service. If you use the internet, and I’m assuming you do if you’re reading this now, the odds are very good that this bug affects you directly.
SSL stands for Secure Socket Layer, a standard that has been superseded by the more modern implementation of the same technique, called Transport Layer Security, or TLS. However, despite its name the OpenSSL library is used in TLS as well. SSL and TLS both work by means of a shared encryption key. This means that when two parties wish to communicate privately online, for example you and your bank, they exchange a numeric key that is used to encrypt all messages and information sent back and forth. Without the key none of the traffic can be read by a third party. Even were that third party to capture and record all messages sent between your bank and you all they would have would be a file of illegible gibberish.
The TLS protocol uses a technique called a “heartbeat” to keep the session between the two parties active. Normally this is a good thing to do as having to renegotiate the encrypted connection all the time would be relatively expensive in terms of CPU time. However, with the introduction of the defect the heartbeat signal becomes a serious problem. The nature of the bug is such that a cleverly formed request, a request to initiate a TLS session, can cause the server to send a little extra along with the basic heartbeat signal. An additional 64K of data, picked almost at random from the server’s memory, will be sent back along with the heartbeat signal.
This 64K can contain just about anything, including user names, passwords, and in some instances, the certificate that is used to generate the encryption key in the first place. This might seem like an almost trivial amount of data. 64K is not a lot by today’s standards. But then the attacker can get an additional 64K block with every heartbeat signal. They can do this all day long and the attack leaves no trace, no record that any data was lost, no record that an attack occurred at all.
By Dave Kuhl, Lead Senior Consultant – Olenick & Associates, Chicago