Q&A: What is Heartbleed and should I change my password?

Two-year-old security hole in encryption system causing heartache for web users

Fri, Apr 11, 2014, 08:27

What is Heartbleed?
A major threat to the web; catastrophic; the worst thing to happen to the internet. The level of rhetoric depends on what you read, but one thing is clear: Heartbleed is bad news. Very bad news.

To get technical, it’s a two-year-old security hole in the encryption system used by many sites on the internet. OpenSSL is used to encrypt web traffic, usually denoted by the small closed padlock you see in your browser’s address bar that indicates your connection is secure. However, Heartbleed allows users to access that encrypted information.

The protocol is designed to confirm a secure connection between a user’s computer and a web server by sending a small piece of data (up to 64 kilobytes) from one side along with a number indicating how much data has been sent; the other side then sends back the same piece of data.

However, the replying side only looks at the stated size of the data rather than its actual size and always sends back the amount of data requested; if the stated amount is more than was actually supplied, the replying side will send additional information from the computer’s memory system

“Basically, an attacker can grab 64K of memory from a server,” security expert Bruce Schneier wrote on his blog, Schneier on Security. “The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory – SSL private keys, user keys, anything – is vulnerable.

“And you have to assume that it is all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of one to 10, this is an 11.”

The flaw may be two years’ old but was only recently made public by researchers at Google and security firm Codenomicon, prompting an understandable panic among web users.

Codenomicon built a website to provide information on the security hole, which gave some worrying information. “We have tested some of our own services from the attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” Codenomicon said.

Essentially, attackers could exploit the flaw, swipe data and leave no trace that they were ever there.

What data is at risk?
Any data that has been sent over a previously presumed secure connection could have been compromised. That includes everything from passwords and encryption keys to banking details, credit card numbers and other sensitive information.

Who is affected?
It’s essentially a problem with the software on servers that host websites, meaning there is very little that web users can do, other than change passwords.

About 60 per cent of the sites on the internet use Open SSL. That’s a lot of websites that could be vulnerable – experts estimate about half a million – and the majority are now working to patch their systems.

We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.