The Heartbleed Bug

The Heartbleed bug has been making news for quite some time now. Announced in April 2014, it has  been identified as one of the biggest security loophole in the OpenSSL technology. OpenSSL technology is an open source library which provides implementation of the SSL (Secure Sockets Layer) and TSL (Transport Sockets Layer) protocols and is mainly used to encrypt web communications. Heartbleed makes the sensitive information which travel using SSL or TSL protocol, vulnerable to attackers/hackers. Almost all our internet activities like web browsing, email, social media, banking etc has come at risk   because of this defect identified. Let us find out little more useful information about this bug.

Why is it called heartbleed?

As stated earlier, heartbleed is a bug identified in OpenSSL which is used to encrypt communications in   a secure manner over the web. OpenSSL works by checking whether a connection between 2 servers   is live or not. This is called heartbleed extension. Unfortunately there has been identified a flaw in the   code which implements this extension due to which it bleeds out some of the secure information from   the memory like passwords, credit card numbers etc. which can be intercepted by the attackers and   misused. Thus it is called HeartBleed.

Codenomicon was the first company to discover this bug and its name has been given by one of its   developer (cyber security company based in Finland) — Ossi Herrala.

What all are affected by this bug?

Heartbleed is a cause for concern as it has infiltrated Internet which is a global network connecting   millions and is widely used throughout the world.

Almost all our private data, passwords, web content has become vulnerable because of this security   fault. It could be that the site which we are accessing has been afflicted with the heartbleed bug making   our data more insecure and visible to the attackers. Internet activities such as email, web browsing,   social media, shopping, payments etc. are all at risk and it largely depends on the host channels or   websites to secure or apply a patch to fix this bug making the users almost hapless against it.

Many websites such as Google, Facebook, Tumblr, and Yahoo have already updated their software   against this bug. However, still a large number of other websites remain to declare they are safe to be   used and are not afflicted by HeartBleed.

How can we check if a particular website is affected by HeartBleed?

Developer Filippo Valsorda has developed a website, https://filippo.io/Heartbleed/, where we just need to enter the URL of the website you want to visit and   see the results. Screenshot below:

Apart from this several extensions have been developed which ease out the process to find if a website   is susceptible to HeartBleed. For example:

  • Chromebleed – It is an extension developed by Jamie Hoyle for chrome users which displays   a warning if we browse a site affected by HeartBleed. Chromebleed essentially uses the web   service developed by Filippo Valsorda and displays the warning message.
  • Foxbleed and Heartbleed Ext – Are few extensions available for Firefox users. Heartbleed Notifier   and Heartbleed Monitor are some other add-ons available for Firefox.

Acting against HeartBleed?

The end users are almost helpless against fixing this bug on their own. All they can do is to rely on the  website administrator / provider to apply the latest patches and fixes to protect their systems against   this bug. However some basic measures which can be taken are as below:

  1. Check authenticity of the website before accessing it to make sure it is heartbleed proof.
  2. Change passwords regularly and as often as possible. Make them complex and make sure same   password is not used for multiple accounts.
  3. Monitor payments, statement reports regularly and report any suspicious activity immediately  to the concerned authorities.
  4. As it affects even cell phones, update the software with the latest patched version to make sure  you and your data is safe.

However, the onus relies mainly on the website owners who need to update users of this susceptibility  and fix it as soon as possible.

The revelation of HeartBleed has made it known that we are not as safe as we think and the internet  which has converted itself to one of the necessities in our life needs more scrutiny and should be  handled with care. Also more caution needs to be used and we need to keep an eye for vulnerabilities  and any causes of concern.

As reports suggest it will still take some time for all websites to declare their acknowledgement of   this loophole and update themselves against it. Till then we can only hope that it gets fixed as soon as   possible and we are lucky enough not be caught in it.