- Jun 15, 2011
- 13
- Content source
- http://www.Extremetech.com
...
What is the Heartbleed bug?
Heartbleed is a bug in OpenSSL’s implementation of the SSL/TLS protocol. OpenSSL is an open source library that manages secure, encrypted communications for the majority of online web servers. If the server supports encrypted communications — i.e. it accepts addresses that start with https:// — then there’s a good chance that it’s vulnerable to Heartbleed. You can use the Heartbleed test website to see if a site is vulnerable to the exploit.
I won’t get into the technical details of what caused the Heartbleed bug in the first place — the Heartbleed website has all the info you might need — but I’ll tell you roughly how it works and what data it exposes. Heartbleed, official designation CVE-2014-0160, is a bug in OpenSSL’s heartbeat extension. It isn't important to know what this extension does, only that it was poorly coded (in coder speak, it lacked bounds checking). This bug can be exploited by a hacker to read blocks of 64KB from the server’s RAM. The hacker can only grab one 64KB block at a time, but he can keep going back for more until he’s gathered all the data he needs.
With access to the server’s memory, the jig is up. Passwords, security certificates (encryption keys), other sensitive details — they're all stored in memory, and they've all been exposed for the last two years thanks to OpenSSL’s Heartbleed bug.
Should you change your password?
Before you change your password due to the Heartbleed bug, there are two factors you need to consider. First, was the website affected by the Heartbleed bug in the first place? Second, if it was affected, has that website installed a new version of OpenSSL (which fixes the bug), and has the website updated its security (encryption) certificates?
If the website did not use a vulnerable version of OpenSSL, you don’t need to change your password. So far, Microsoft, AOL, and LinkedIn have said they did not use the offending software, and that you are safe. The one exception to this rule is if you used the same password across multiple websites, in which case you should change your password. (You should always use different passwords for every website, but we’ll talk more about that in the next section.)
If the website was vulnerable to the Heartbleed bug, the situation is more complex. If the website says it has fixed the bug, and installed new security certificates, then it’s safe to change your password. If not, you must wait. If you change your password on a website still vulnerable to the Heartbleed bug, your password (and other sensitive details) could still be obtained by hackers.
The problem is, many web service providers are still scrambling to suss out whether they’re vulnerable, and to roll out fixes if they were. As a result, many thousands or millions of websites haven’t yet made a public announcement about whether it’s safe to use their services again. Of the big web service providers, Yahoo, Google, Facebook, and Dropbox were all vulnerable to the Heartbleed bug, but it is now be safe to change your passwords for these sites and all related services.
- Take Care,
- Hugs & Cheers
Last edited: