On April 7, 2014, OpenSSL publicly broke the news about the vulnerability called Heartbleed. The news caused a stir in the world of technology after the announcement. The vulnerability in the OpenSSL software was discovered by Neel Mehta; and Bodo Moeller and Adam Langley were asked to correct it.
The Heartbleed bug is a vulnerability found in some versions of OpenSSL cryptographic software libraries. These libraries handle security for the biggest websites. In summary, a vulnerability found in any part of the software (the often mentioned “heartbeat” extension, which allows a secure connection to the server where websites are hosted) allows hackers to read and collect data that is stored in the memories of these systems. This failure has the potential to be one of the biggest vulnerabilities of rapid expansion in the modern history of the internet. The vulnerability is present in versions 1.0.1 up to 1.0.1f of OpenSSL (but not in other versions of OpenSSL).
On the website Schneier on security, Bruce Schneier says:
Catastrófico es la palabra correcta. En una escala de 1 al 10, esto es un 11.
Catastrophic is the right word. On the scale of 1 to 10, this is an 11.
Meanwhile, Matthew Green writes in his blog
The problem is fairly simple: there's a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space.
At the root of HeartBleed is the encryption of data. By analogy, encryption is a secret language between two people. The Internet works by using certain security protocols and encryption commonly known as Transport Security Layers (TSL) and previously, Sockets Security Layers (SSL). SSL and TSL are a set of open source tools known as Open SSL. It is also known as Open SSL and works on 66% of the net as the encryption protocol to keep internet users’ information protected from misuse.
What is the vulnerability?
The TSL Heartbeat mechanism is designed to keep connections alive even when not transmitting data. Heartbeat messages sent by a pair contain random data and payload length. The other pair is expected to respond with a mirror of exactly the same data.
So what happens if Open SSL is faulty? What happens is that these secret keys which are shared with the server are suddenly accessible to anyone. This means that there is a lot of information available to anyone and users will probably never know who else has access to the information.
The worst part is that this vulnerability has existed since December 2011, and many software packages started using the vulnerable version of Open SSL after May 8, 2012. This means that for two years, any website, application, bank or IM service using SSL security protocols was vulnerable.
This weakness is technically complicated to fix and it is not enough that information technology professionals use the patch on copies of Open SSL that are using their devices, applications or websites.
To avoid being victimized by this vulnerability in encryption protocols used on the Internet, one should first check that suppliers have updated the Heartbleed patch. Then the password must be changed.
The feeling of alert remains in force [Twitter links are in Spanish]
— hackplayers (@hackplayers) abril 21, 2014
Google Dork to find Juniper SSL VPNs vulnerable to # HeartBleed: The heart of the Internet continues to bleed ….
#Heartbleed sí que puso a temblar a los database managers de todo el mundo y a nosotros a cambiar passwords. La vulnerabilidad es universal
— Clicerio MP (@ClicerioMP) abril 21, 2014
Heartbleed has shaken up database managers worldwide and made us change passwords. Vulnerability is universal.
— Juan Carlos Vázquez (@jc_vazquez) abril 21, 2014
[Infographic] # Heartbleed’s bottom line… interesting note on the data protection law.
— AMIPCI (@AMIPCI) abril 21, 2014
Heartbleed threatens your privacy, change your passwords!
Mashable presents a list of web sites that are subject to the Heartbleed vulnerability for which it is recommended that we change our passwords.