The Heartbleed bug is one of the more serious computer security vulnerabilities I have seen. It was discovered yesterday and is just starting to hit mainstream media now, so I will summarise my understanding of it.
It affects some web sites that use HTTPS secure connections. The purpose of HTTPS is, among other things, to encrypt data sent between your computer and the web server, so that anyone who sees the data in transit across the internet cannot read it. So it is used whenever you log in to a web site or enter personal information. You know you are using it when your web browser displays a little padlock icon somewhere.
The bug is in a software library that implements HTTPS, called OpenSSL. Not all web sites use this library, but many do. The bug affects certain versions of the library. Importantly, though, the bug has been in the library since December 2011, and has only recently been detected and fixed.
During this time, an attacker who knew about the bug could send a request to a web server, and get back some random information from the server’s memory that should not be public. This information could be almost anything known by the web server software. It is a lucky dip: the attacker can not choose what information he will get. Importantly, though, it can include server certificates, and user names and passwords of the web site’s users.
Having obtained a certificate, an attacker could spy on data transferred from the user to the web site, including passwords and any information entered. This is not trivial, but can be quite easy in certain circumstances. For example, anyone can sit in a coffee shop and intercept WiFi traffic of other customers using WiFi in the shop, but they will only get information about the other coffee shop customers. On the other hand, the NSA can presumably spy on all data sent to any web site. There will be attackers with levels of sophistication between these extremes. Normally a web browser will shout warnings at you if a HTTPS connection has been intercepted. Having a web site’s certificate enables an attacker to silence such warnings.
User names and passwords can also be obtained directly using the Heartbleed bug. This only happens on certain web sites, and the details retrieved are random. It is not possible to quickly obtain all details of all users. Rather, every time the attack is made, one or two users’ details might be revealed. That said, the attack can be repeated, and in two years it can be repeated a lot. So a determined attacker could gather details of many people in this time. This is real. Users on Reddit were claiming to have seen Yahoo Mail passwords as recently as a few hours ago. Right now, Yahoo Mail is fixed.
So what can you do? Realise that you are affected, but don’t panic. There is a very good chance none of your details have leaked. You can not be certain, but you already were not certain. There are likely many more security holes that are not yet common knowledge. However, on services that you have particularly sensitive information, it would be wise to first check that the bug has been fixed, and then change your password.
You can check if the bug currently affects a given service with an online tool. If the service is at all high profile, it is a fairly safe bet that it is already fixed. But you can not tell if your details or a service’s certificate have been leaked in the past. Unless a service takes action, credentials and certificates obtained in the last two years can still be used by attackers to log in or spy on communications. Hopefully web administrators will communicate whether they have been affected and whether they have changed their certificates, so watch for announcements.
When you change your passwords, now is a good time to stop using the same password for every service you use. Start using a password manager such as LastPass, 1Password or Password Safe. All of these are acceptably safe in my opinion, but there is some interesting discussion on this topic. The great thing is that a password manager will generate a different, random, impossible to guess password for each site you use, meaning that if someone does find out your password to one service, the damage is limited to that service.
If a service offers two factor authentication, where you use a smartphone app which generates an ever-changing code, use that, because it means knowing your password alone is useless to an attacker.
If you run a web server that uses HTTPS and handles users’ information, educate yourself, upgrade, and inform your users.
More generally, if you can possibly arrange to live your life under the assumption that everything you have ever done on the internet could become public knowledge tomorrow, you could save yourself a lot of trouble. Keeping secrets is hard.
Also note that it’s not so bad for websites that support Perfect Forward Secrecy (e.g. Twitter, Google, EFF.org) as even obtaining the server keys doesn’t compromise conversations that happened previously and were recorded; it only allows the attacker (with a lot of care) to compromise conversations subsequent to getting the keys and before the keys next rotate.
Good writeup – you can install the tool on your own PC if you are getting timeouts. Here are some examples of testing a (currently) vulnerable site.. (I actually just changed the name as it’s not cool to draw attention to a vulnerable site. If he’s not fixed it by later today, then I’ll post the full link!)
http://filippo.io/Heartbleed/#secure.projectxxxx.com
http://bleed-1161785939.us-east-1.elb.amazonaws.com/bleed/secure.projectxxxx.com:443
There’s a Chrome extension too, which checks sites as you visit:
https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic/reviews
Installing the tool on your own PC:
Install GO from here: http://golang.org/doc/install#windows – grab the MSI.
Then make the following directories:
mkdir D:\gocode\
mkdir D:\gocode\bin
mkdir D:\gocode\pkg
mkdir D:\gocode\src
add the following system variable:
GOPATH D:\gocode\
and to your system path, add
;C:\Users\PROFILENAME\AppData\Local\GitHub\PORTAB~1\bin\
then pop open a CMD window and ….
go get github.com/FiloSottile/Heartbleed
go install github.com/FiloSottile/Heartbleed
then finally:
D:\gocode\bin\Heartbleed.exe somesite.com:443
Output will either say “safe” or look like this…
C:\Users\Jon>D:\gocode\bin\Heartbleed.exe secure.projectxxxxx.com:443
2014/04/09 09:58:05 ([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 e1 3f c2 68 ef ef 61 03 |UBMARINE.?.h..a.|
00000030 ba 44 46 8a 36 9d a8 30 de 07 5c 07 29 30 2b c3 |.DF.6..0..\.)0+.|
00000040 30 6b 8f 40 62 72 13 82 64 db 21 e1 8c c3 7c 99 |0k.@br..d.!…|.|
00000050 23 d4 fa ae a8 a6 ac 01 49 c6 88 e2 a5 71 e0 b5 |#…….I….q..|
00000060 e4 de f9 c0 5e 46 35 62 7e 96 43 a4 16 87 46 c9 |….^F5b~.C…F.|
00000070 1d 9b 1f 3a 16 29 fe fb 3b 24 47 73 7c 71 46 7d |…:.)..;$Gs|qF}|
00000080 48 bd cc 84 fb 0f c1 ac b7 20 3e bb |H…….. >.|
}
2014/04/09 09:58:05 secure.projectxxxxx.com:443 – VULNERABLE
All good to know Rob, cheers!
I too wrote up something similar: bit.ly/1iv7UYb
I’m curious though are your friends and associates still as clueless on what this is and how bad it could be? Mine are, no discussion on either Facebook page, a little on pinterest. No questions besides one friend wanting to know how this came to be and why it wasn’t caught.
Cheers, happy leaky internet!
Well written, Rob.
What about all those broadband routers sent out by the ISPs? Unless the user has locked down the admin access address there’ll be lots of fun to be had!
Automatic firmware updates all round? I doubt it.
Update:
After posting, I thought I’d see what others were saying about this issue.
The BBC site has this quote:
“UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL.”
“keeping secrets is hard”
Wow, did you see the alt-text on the otherwise-spot-on XKCD cartoon? Good grief, if the author seriously can’t find something costing US$ 5.00 or less to use as a bludgeon (including the low LOW price of FREE! like a hunk of a fallen tree branch!) he’s way more of the lamest type of nerd than I ever suspected.
Kirk, it’s the government he’s talking about. They probably would have paid $50 for that wrench!