The dust seems to be settling over the Heartbleed storm. Questions have been asked and answered. The experts and the newbies have voiced their opinions. This, I feel, is a good moment to answer those little questions that we have always been meaning to ask, but feared being thought of as stupid. Here is my attempt to explain Heartbleed in simple question and answer format. I have provided as many references as possible for further exploration. Feel free to suggest changes / corrections!
What is Heartbleed?
Heartbleed is a vulnerability that affects sites that use OpenSSL for encryption. (two third of the Internet traffic, according to estimates). Its name is a play on ‘Heartbeat’ – a protocol used over TLS to maintain a connection. An attacker can get 64 Kb of information from the server’s memory at one time without it being encrypted. The attacker can keep getting 64 Kb of memory as often as he or she likes and basically glean all the information that is supposed to pass encrypted. This basically means that the attacker can get your private keys, your session keys and all the other crucial information.
Ok, what is this SSL business? And what is this heartbeat?
SSL stands for Secure Sockets Layer. In plain terms, it is a protocol that sits on top of the TCP protocol and encrypts everything. Once the TCP handshake is through, an SSL handshake happens, certificates are shared, keys are exchanged and a secure channel is established.
Once the SSL session is established, it had to be kept alive. If the session got disconnected, the entire handshake takes place again. What is the best way to keep a session alive? Keep sending packets at regular intervals and expect them back. This extension was built into OpenSSL and was called the ‘Heartbeat Extension’ – provides a heartbeat to keep the session alive.
The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS.
What exactly is the problem?
This vulnerability is in the checking of ‘bounds’ for the heartbeat extension. When a heartbeat packet is sent to the web server that has OpenSSL implemented, the server is supposed to respond with the exact same payload that it received. However, OpenSSL does not check what payload is returned. A smart programmer can ask for the memory dump of the server and get it.
How long has this been there?
Almost 2 years.
Am I affected?
As a user of services, there is a very high chance that you are affected. Here is a list of websites that have been affected.
As an organization, you will have to figure out if the SSL you use is affected. There are a few sites that can help you determine if you are vulnerabile. One of them is here:
What do I do now?
The best response explanation I found for end users was on the 1password blog. Here is an excerpt that will clear things up reasonably.
“Once a service upgrades to a fixed version of OpenSSL (or to some other cryptographic library), they will need to revoke the certificate that they had been using with with the vulnerable version of OpenSSL and obtain a new certificate. Exactly how long that takes will depend on how quickly they can get things sorted out with their certification authority. Certification authorities are going to be very busy over the next few weeks.
Only after a new, certified certificate is in place on a server that is not using a broken SSL/TLS library will it make sense for you to update your password for that service (or even trust your communication with it). Most of us simply have to wait until notified by various websites and services when and whether we should change passwords.”
The best thing for you to do is to log off from all sessions. (On your laptop, on your phone, on your tablet, everywhere). Most websites are doing this proactively to ensure a quicker mitigation. Go to the service’s website and check if it is affected by heartbleed. Check if they have fixed it already. If they have, log in and change your password. Keep different passwords for all services. Please use a password manager.