For last few days a serious vulnerability in OpenSSL bogged down tech world. HeartBleed, is a bug in OpenSSL’s implementation of SSL/TLS protocol. HeartBleed affected scores of websites, exposing credentials, encryption keys and sensitive information. Given the nature of the bug which went undiscovered for almost 2 years, there is strong possibility of sensitive data already been stolen.
What is HeartBleed bug?
Much has been written about this so we will not explain what it is? In simple words, it is a bug in OpenSSL’s implementation of SSL/TLS protocol for encrypted communication. If you or your favourite site is using https:// than chances are high that it may be vulnerable.
It is a coders mistake which happened two years back while fixing some issue in OpenSSL. The code doesn’t perform bounds checking allowing a hacker to read 64k chunks from servers RAM. Hacker can read one 64k chunk at a time, but can revisit to read more till he reads all that he needs.
Official designation of HeartBleed is CVE-2014-0160
Does it affect only websites?
Simple answer No. It affects all that communication which till now have been encrypted by OpenSSL cryptographic software library. In short, SSL/TLS communication that was encrypted, for example, IM/Chats, Emails, Virtual Private networks etc.
If you are server administrator
- To Detect if your sites are affected as Webmaster. You can use HeartBleed Test Site
- If yes
- Please patch/update your OpenSSL installation
i. If you don’t find the update for your distro then
- Recompile OpenSSL with
If you are user
As a user you can’t do much to protect yourself from HeartBleed. It is a possibility with high probability that you data would already be with hacker since this vulnerability is in open for last 2 years.Problem with this bug is it doesn’t leave any trace to find out whether your information is leaked or breached.
Now catch is if you jump to change passwords, chances are high that site or service you are using is still vulnerable. In this case you can use the HeartBleed Test Site to identify whether the site is vulnerable. If you find any site being vulnerable contact that site’s Webmaster to inform about this vulnerability.