Envisager Studio

05.01.14 in Website Design

Heartbleed Is A Serious Security SSL Vunerability

Heartbleed Is A Serious Security SSL Vunerability

This is a must-read article. The Heartbleed OpenSSL vulnerability is REAL. All the chatter across the Internet is not hype – this is a major web problem. This serious vulnerability allows stealing protected information that you have entered at various websites such as passwords, payment information, etc.

Heartbleed has the potential to be the greatest vulnerability in the history of the web. And to make matters worse, it’s difficult for the average web user to understand why this vulnerability is such a big deal, which web services have been affected, and what are those service providers doing to fix the vulnerabilities.

Another major problem with the Heartbleed vulnerability is that it is technical in nature. This means that the onus is on the person who manages the web service — or who manages the back-end service the web service uses — not the end user. The end user, you – are limited in how to protect yourself and information.

Security expert Bruce Schneier describes this vulnerability as “catastrophic”. On a scale of 1 to 10, he gives it an 11.

Why Heartbleed Is Such A Big Deal

At the core of Heartbleed is encryption. The purpose of encryption is to protect and secure the information you send from your computer to someone else or to another web server.

Most of us are heavy users of the Internet and we’re more aware than ever of the importance of keeping private and confidential information secure.

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. For example, if you and I spoke the same language and someone was listening to us that didn’t speak our language, they would not be able to understand what we were saying.

Encryption works as a set of keys. For example, as a user, you have a copy of the encryption keys on your computer and the web application/server that you use has a set. Needless to say, it’s crucial that you keep those keys secure.

The Internet handles security using a set of protocols commonly referred to as Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS). SSL/TLS is a major part of how the current web works.

There are various out-of-the-box solutions for providing SSL/TLS functionality to a website or application. The most common implementation is set of open-source tools known as OpenSSL. OpenSSL is free and readily available for use in a multitude of different types of projects. Apache and Nginx are two of the most highly use web servers that use OpenSSL. Printers, network routers, email services, and instant messaging can all use OpenSSL.

If you use the Internet, you have definitely interacted with OpenSSL – probably several times a day without even realizing it because OpenSSL runs on about 66% of the web.

Why Is Heartbleed So Bad and Why Should I Be Concerned?

Ok, so if you’ve read this far, you understand that OpenSSL is an integral part of today’s Internet. What would happen if OpenSSL had a defect? What if that defect meant those secret keys between you and the server were compromised and now accessible by someone else?

[pullquote style=”left”]Why is Heartbleed so bad and why should I be concerned?[/pullquote] What if the defect meant that someone could secretly gain access to the keys the server has, make a copy for themselves, and eavesdrop on everything you say to that server? What if that defect was impossible to detect? That’s Heartbleed. Since December 2011, this vulnerability has operated without detection. Many banks, private messaging services, applications, and websites have been vulnerable to this OpenSSL bug for over two years because many software packages started using the vulnerable version of OpenSSL in May 2012.

Plugging The Heartbleed Vulnerability

While a patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available, fixing the problem is not quite that simple. Every major Linux distribution has issued patches, major web and cloud hosts such as Amazon and others have patched their own servers.

The patch is relatively easy to implement. The problem is that in addition to patching the software, some services need to figure out if they need to revoke or reissue various digital certifications. A digital certificate is used by a web browser to validate that a web server is secure. For example, if you’re making a purchase online or using a payment site such as PayPal, the web address is https versus http.

We know this is scary and if you have any questions that you would like to ask us about the Heartbleed bug, post it in our comment section below and we will be sure to answer you.