VPN Articles and News

Heartbleed OpenSSL Vulnerability – What You Need To Know About The Threat

Monday, April 14th, 2014

The Heartbleed OpenSSL vulnerability is unarguably one of the biggest security threats ever to hit the internet. Unlike other online threats, Heartbleed makes it possible for criminals to steal extremely secure information without leaving any kind of footprint. This article will explain what Heartbleed really is and suggest few ways to fight the threat.

What Is Heartbleed OpenSSL Vulnerability?

Heartbleed is a programming flaw in OpenSSL, the open source protocol used in almost two thirds of active websites. The OpenSSL protocol is used to encrypt traffic between web servers and client machines and it powers some of the biggest emailing, social networking, instant messaging and ecommerce websites on the internet. The Heartbleed problem affects version 1.0.1 of OpenSSL and allows anyone to steal information from the memory of web servers without leaving a trace behind.

How Heartbleed Compromises Security?

When you try to access a website, your computer (or mobile device) sends a small chunk of data to the web server to test whether the website is up and running. If the web server is up, it will respond back by sending the same chunk of data back to the originating machine. The process of sending and receiving data in this way is known as hearbeat. The Heartbleed vulnerability exploits the heartbeat feature of OpenSSL and makes it possible for anyone to retrieve a large chunk of data from server memory. By using this flaw, hackers can extract up to 65,536 bytes of data through a single request. What’s worse, the attackers can send as many requests as they want and piece together larger chunks of information without arousing suspicion.

The Heartbleed flaw can compromise web servers, routers, VMs, VPNs, computers, mobile devices and even client softwares. By exploiting the loophole, criminals can easily steal passwords, emails, instant messages, confidential documents as well as other information from some of the biggest sites on the internet (example, Gmail, Yahoo, Facebook etc.). Security experts have also demonstrated that it is possible to steal private keys that are used to authenticate client server requests by making use of this vulnerability. Since the bug has been around for at least 2 years, the access to private key information allows the hackers to piece together information that they might have harvested from the web servers long time ago. Some experts have even suggested that NSA has been exploiting the flaw to gather private data of American citizens.

How To Protect Yourself From The Heartbleed Vulnerability?

According to some estimates, approximately 17% of web servers are affected by the Heartbleed vulnerability. A lot of banks and ecommerce websites use customized versions of OpenSSL so the chances of their systems getting affected by the flaw are pretty slim. While the OpenSSL community has already patched the code, the web service providers need to update their systems to the latest version of OpenSSL protocol to eliminate the Heartbleed threat from their networks. The process would also involve discarding old keys and recreating new private keys to authenticate user information. Most of the big service providers like Google, Yahoo and Facebook have already upgraded their systems but it could take a while before the patch is applied by Tier 2 and Tier 3 service providers.

As an end user, you can do a lot to protect yourself from the Heartbleed bug. This involves changing passwords to switching to service providers that use a two level authentication process. If you buy or rent web based services, you must ask your service provider to upgrade to the latest version of OpenSSL. Since no one is sure whether the bug has been exploited by criminals, it makes sense to take best possible precautions to protect yourself from the extremely dangerous Heartbleed vulnerability.

April 14, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 6 =