If you haven’t heard about The Heartbleed Bug yet, here is your chance. This page describes it nicely in not too technical detail. Let’s get a few quotes to get you started:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
That doesn’t just sound nasty. IT IS!
Here is a look at how much of the Internet is affected:
How widespread is this?
Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. […] Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.
Also, as to how widespread are the affected versions of the OpenSSL:
How common are the vulnerable OpenSSL versions?
The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems.
And it’s not a fresh one either:
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
So, now that I’ve got your attention, let’s not waste any more time and look for the fixes. Check this Linux Weekly News post for the list of distributions providing updated packages. If you are not using Linux or your vendor hasn’t released the update yet, here is some information from the original OpenSSL Security Advisory:
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
You can use this handy tool to check if your servers are still vulnerable.
Your servers should be fine now. But just in case you want more information on the issue, here are few more resources for you to check:
- Diagnosis of the OpenSSL Heartbleed Bug – a technical look-into, complete with source code pieces and discussion on how and when it works.
- Reddit comments to the above analysis.
- Linux Weekly News post and comments – some more details as to what to check and replace.
- Slashdot discussion – more links, comments, and some of much needed humor to defuse the situation a bit.
- GitHub blog post – describes how a widely used web service handles the situation.
- LifeHacker post – describes what an average non-technical user can do about all this.
- Entrust Inc. on OpenSSL Heartbleed Bug – a word from the Certification Authority.
Did I miss anything interesting? Let me know in the comments.
In conclusion, here is another brief quote from The Heartbleed Bug site:
Is there a bright side to all this?
For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.
So, yeah, don’t stress out too much. It’s not the first such bug, and it’s not going to be the last either.