HTTPS Virus HeartBeat & HeartBleed: a Bug Breaks Worldwide Internet Security Again
A new bug shrinks trust on the Internet on a significant scale. This virus called ‘heartbleed’ or ‘heartbleed’ is based on a fault in functionality in the widely used OpenSSL library used by a huge amount of servers on the net. It was originally discovered by Neel Mehta of Google security and it works like this: the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. Some people think that 64kb is a very small amount of data, yes it is, but of course the attacker can connect repeatedly and progressively collect all the memory of a server, and analyze it later. This is a serious problem.
Consumers Point of View
Consumers should assume that their usernames, passwords or secrets may have been leaked and take steps to re-set their passwords once the provider has patched. In this case it is very difficult, if not impossible, to retrospectively identify if someone attacked your systems so it is better to assume compromise, re-set your credentials and play it safe.
Panic over the Net
There is panic over the issue (see #heartbleed on Twitter). The defect has been in the code for over 2 years! Many are surprised that the bug has only just been found now, particularly as the OpenSSL code is open source and has been reviewed by quite a substantial number of people. This speaks to the challenge of writing secure software and bug hunting, but also perhaps highlights that there should be more systematic review of software which is so critical to all of our security and trust online.
How to Check it
Check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. There is a neat site at http://filippo.io/Heartbleed/ where you can quickly run the check. If the website is reported to be vulnerable you should IMMEDIATELY contact the provider and change your password as soon as the bug is fixed.