What is Heartbleed?

What is Heartbleed?

Apr 9, 2014
An important security issue that everyone should be aware of.

An SSL protected connection has an HTTPS address.

Heartbleed is a flaw in a piece of software called OpenSSL. When you visit a website like your bank or Google's Gmail and you see HTTPS:// in the address bar, that means that the website is using a technology called SSL to protect information that you and the website exchange with each other, everything from passwords to credit card numbers to bank balances. Without SSL it is possible for an evil-doer to see and read everything that you send to, or receive from, a website.

One popular brand of SSL software is OpenSSL; it is used by roughly 2/3rds of the Internet. When a website is using certain versions of OpenSSL (1.0.1 to version 1.0.1f), the Heartbleed flaw allows a bad-guy to take a raw, unprotected sample of that website's memory. Allowing them to see everything that has been recently sent to and from that website, unprotected.

Although the flaw has existed for two years, it was only recently discovered by Google security engineers. They informed OpenSSL of the problem so that a solution could be created before announcing the problem to the public. OpenSSL made their public announcement on Monday, April 7th, 2014.

For the curious, a layman's explanation of how this flaw was given its graphic name can be found here.

What About "Private SSL Keys?"

Having your passwords compromised is bad enough. OpenSSL encryption relies on the exchange of a special key between a visitor and the website they are using, all of which takes place automatically. Part of this key is supposed to remain private, a secret known only to the website, never to the visitor. These are the keys that protect the information you share with a website, like your bank or online store. They also ensure that the website you are visiting is actually who they say they are. That's what the HTTPS:// or that little padlock that appears in the address bar of your web browser means.

Although initially debated, the Heartbleed flaw has been proven to allow the disclosure of the private key. This is particularly bad since a stolen private key could allow a bad guy to impersonate the company it was stolen from or reveal what is sent between visitors and a company's website even long after the flaw has been patched. Instructions for affected website owners can be found here.

This matters to you because you want to be able to trust that the information that you are sending and receiving from your bank's website (or Facebook or some other place) is really going to and from the place you think it is. You want to be able to trust that HTTPS:// or that little padlock in your address bar. If you learn that a company was affected by Heartbleed, ask them if they have replaced their certificates or verify it for yourself.

What Is the Heartbleed Encryption Bug?

Was The Lones Group Website Affected?

No. Unlike many websites, TheLonesGroup.com does not use OpenSSL and was not affected by the Heartbleed vulnerability.

So Who Is Affected?

In some capacity, everyone. The flawed OpenSSL software is/was in use by about 2/3rds of the Internet. Not just websites, but phones, home networking equipment and many other devices may be vulnerable if they are using a flawed version of OpenSSL.

On Tuesday, April 8th, as news of the flaw was being publicized, a test was done of the top 10,000 visited websites to see which were affected by this flaw. This list contains many prominent names, including: Facebook, Instagram, Pinterest, Tumblr, Twitter, Google, Yahoo, Gmail, Yahoo Mail, GoDaddy, Intuit Turbo Tax, Dropbox, Amazon's cloud services and thousands more.

See the full top-10,000 list here.

When to Be Concerned

This probably won't impact you at your favorite news site and other places where you don't need to sign-in. However, for banking websites, social networks and other websites where you share personal information, you should sit up and take notice. For example, real estate professionals should check their:

- MLS portal- Brokerage portal
- IDX service- Online document signing services
- Business banking services- Cloud storage services
- Email portal websites- Social media websites
- Any mobile app that you use where confidentiality matters.

How Do I Protect Myself?

First, check to see if the website you want to visit is on this top 10,000 list. If it is, test it to see if it is still vulnerable. However, your local credit union and other less worldly websites you visit may not be on this list. For cases like that we recommend that you contact the institution by phone or email and find out three things:

  1. Were they vulnerable to the Heartbleed security flaw?
  2. If so, has it been patched?
  3. If so, have they replaced their security certificates?

How to Test a Website For the Heartbleed Vulnerability

Example of a site testing positive for the Hearbleed vulnerability.
Click to enlarge.

You can also test websites using an online tool to see if they are still vulnerable. Use the link below and simply type in the address of the website you are curious about:

Click here to test a website

The screen shot at right is an example of the flaw actively being exploited. The testing website has sent the target website a message with the text YELLOW SUBMARINE. The Heartbleed flaw is then used to read the vulnerable website's memory. This shows that even though the connection to the website was secure, that text can be plainly read, unprotected, from the website's memory.

If you test a website and it is still vulnerable, do not share any information with that website. A prudent recommendation would be to not visit the website at all until we know that they've either been patched or that the Heartbleed flaw definitively cannot reveal private SSL security keys.

How to Check That a Website Has Updated Its Keys

Sample certificate testing results. Notice the valid from date.
Click to enlarge.

Next, if you know that a website was vulnerable and is now fixed, but you want to be extra sure that they are safe to use again, then check the date on their security certificate. You are looking for a date issued or valid from date that is ideally after April 7th, 2014.

Option 1: Use a Website

The easiest way to check is by using one of the many website's available which have online tools for this very thing. SSL Shopper has a quick and easy to use online tool. At right is an example of the certificate Google.com being tested.

Check a certificate online

Option 2: Check It Manually

Your web browser can also tell you when a certificate was issued. Just follow these visual steps for your browser.

What About Passwords?

There are a couple ways you can look at your password security.

The Common Sense Approach

This flaw has existed for about two years. Common sense says that if you haven't visited the website you are concerned about since before April 7th, then your password is is no less safe than it has been for the past two years. Widespread publication of the flaw began on that date. We still recommend that you change your passwords occasionally, that's simply good practice, and this is as good a time as any.

The Prudent Approach

Identify if the website in question was affected by this OpenSSL flaw. See above for how you might do that. If so and if it has been fixed and had new certificates installed then yes, absolutely, change your password, pin and any other security pass that you use to control your access to that website.

If you want change your password, make sure that the website you are changing it at is no longer vulnerable before you do! See above for how. If it is still vulnerable, you could be doing yourself more harm than good.

A Word of Caution

Be skeptical of any email you unexpectedly receive that asks you to reset your password. That email, even if it looks like it comes from a trustworthy source and even if the link appears to go to the website in question, should not be trusted. If you receive such an email and decide to act upon it, don't click on the links in that email. Instead, manually visit the website itself by typing the address into your web-browser's address bar and then use that website's password reset ("forgot password") tool on your own.

Don't think that it can't happen to you. Only days after Heartbeed was disclosed, the Canadian Revenue Agency had to remove public access to its website because over 900 citizens data had been stolen using this flaw. Authorities have already arrested a suspect, but this should be proof to you that criminals and curious alike are successfully abusing the Heartbleed flaw.

Additional Information

About the Author

With a nearly two-decade background in programming, websites and database development, Randy Bowers has a lengthy and broad history of experience in online computing. As Director of Technology for The Lones Group, Inc., Randy oversees technology projects and online company assets, including client website development, online marketing campaigns and planning our company's technology position. On a typical day you'll find him programming new tools and providing friendly advice to help our clients grow with technology. When not at work he likes to spend his time with his family, writing music, exploring kitchen chemistry, biking and playing video games. He can be reached at randy@thelonesgroup.com.

 Categories: Help, Security