Friday 2 May 2014

The Aftermath of Heartbleed

What is the Heartbleed Bug?

I know a number of media outlets have given a variety of descriptions, but I have taken this one from the Heartbleed website (

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).  

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

In short, the software technology that some organisations use to protect connections and transfer of information has a vulnerability.  This could allow someone to monitor and see the data transfer of information, even though it is in a secure tunnel.

The following cartoon may be a light hearted look at the vulnerability, but it has some very far reaching consequences: 

Fixing the Heartbleed vulnerability

The software package in question, OpenSSL, needs to be patched.  That sounds like a straightforward request, but as a user you will have very little interaction to do this.  This software is often used on websites to allow it to create secure tunnels, but the reliance is on the website administrator to put these upgrades in place to remove the vulnerability.  The secure tunnel relies on the exchange of digital certificates to prove the tunnel should be trusted, but if these certificates have been compromised, they will need to be revoked and reissued. Again, this is a task for the website administrator.

Aside from websites, various IT manufacturers use OpenSSL to secure access to their solutions, whether it’s the administration console, remote access certificates, etc.  The reliance then is on the manufacturer to upgrade their solution with a patched version of OpenSSL, compile their solution and test it, before then releasing it for public consumption.  Most of the bigger manufacturers released statements within hours, and updated versions of code within days.  There are still some manufacturers who have done neither.

Next steps

If you are a user of a website that uses OpenSSL, ensure they have updated to a version without the vulnerability and as a precaution, change your password.

As an administrator of a website that uses OpenSSL, ensure the site has been updated to a version without the vulnerability, then revoke and reissue the certificate.  Prompt the users to change their password, and ensure they receive the reissued certificate.

As an administrator of an IT solution that uses OpenSSL, follow the manufacturer’s guidelines, which will be to update or patch the software to the latest version, which will include the fix to the OpenSSL issue. It may still be necessary to revoke and reissue the certificate, as well as change any passwords.

Most importantly, check your systems are no longer vulnerable after any changes.  There are a number of services that can check, including a complimentary check the organisation I work for is offering.  More information around that service can be found here: 

No comments:

Post a Comment