The last few days have seen a particular internet issue, “The Heartbleed Bug”, hit the mainstream media. Terms you may not have heard before are being bandied about as if they are common parlance – OpenSSL, TLS, X.509, RFC, CVE…. So what do you need to know?
How serious is this really?
Let’s just say that “switching off the internet for a while sounds like a fantastic idea” has been said.
Has anyone suffered an attack?
As far as we know at the moment, there have been no real world exploits of this vulnerability, but they might not have been detected. So better safe than sorry.
What is the Heartbleed Bug?
This is a serious vulnerability that allows information, which normally would be protected, to be stolen.
Communications on the internet use protocols called Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect information sent to and from your web browser and other applications. This is what is used when you use a web address that starts https:// and you see a padlock or something similar displayed in your browser. These protocols encrypt the information you are sending/receiving and when the encrypted message is received it is decrypted.
What the Heartbleed bug does is enable anyone on the internet to read the memory of systems protected by the vulnerable security software – which is particular versions of OpenSSL. This information compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What is OpenSSL?
OpenSSL is commonly used software tool kit used to implement the SSL/TLS security. While it is used on a large number of sites it is not used everywhere – the estimate though is that maybe 60% of internet services use it. That is not to say all sites that do use OpenSSL are affected since not all versions have the vulnerability.
Are all versions compromised?
No, the vulnerability was introduced in version 1.0.1 which was released in March 2012 and has been present in all versions up until 1.0.1f. The latest version 1.0.1g had the vulnerability removed and versions before 1.0.1 (most commonly used 1.0.0 and 0.9.8 and 0.9.7) did not have the vulnerability at all.
Are sites and software from Systematic Marketing affected?
No. None of the sites we manage use OpenSSL so have not been affected by this vulnerability. In our software we do use OpenSSL for communicating with other services but the versions we use are not compromised.
What do I need to do now?
If you have login details for affected sites you should change your passwords, but don’t do it until the site has said that the patched update has been installed. Have a look at the Mashable link below to see sites reporting on the issue.
Where can I find more information?
There are several sites with information:
The official Heartbleed site
The Mashable hit list – a list of major sites that have reported whether you should change your password or not.
The OpenSSL site
A more technical explanation at The Register.
Can I buy the T-Shirt?
Yes you can! Visit heart bleed t shirt at teespring.