Heartbleed

The heartbleed bug is a “buffer over read” in the OpenSSL’s encryption library.  OpenSSL is a commonly used library written in C that implements common encryption protocols such as SSL and TLS.  It can be used in some other programming languages other than C using “Wrapper”s.  It is commonly used for implementing layer 4 in the OSI model: transport layer.

The heartbeat extension for OpenSSL used to keep connections open by periodically sending information to the computer it’s connected to, like every couple of seconds for example.  A heartbeat in computing in general refers to this periodic sending of information.

The amount of information sent in each heart beat can be determined by the user.  OpenSSL heartbeats are supposed to be no more than 16 kilobytes, and are usually much less.  When the user requests a heartbeat they give the server a string and an integer representing the size of the string.  The server then must send that string with that size, but the size isn’t checked to make sure that it isn’t more than the size of the string.  So when the server is asked to send 64 kilobytes of information for a 1 kilobyte string for example, it reads the 1 kilobytes, or however much it is of memory, and then reads the following 63 kilobytes of information past the buffer that the program is using to store variables.  A hacker exploiting this bug could read memory that the program is using and that could include the private master encryption key, or sensitive user information like passwords.  When they know that encryption key they can decrypt the information being sent from the server and can find out things like passwords.

The heartbleed bug was put into the OpenSSL source code on 12/31/2011, and was introduced in the release on 3/21/12, It was reported on 4/1/14 by google’s security team, and a patched version of SSL without the bug was released on 4/7/14.  The OpenSSL versions affected are 1.0.1 up to and including 1.0.1f.  The patch to this is a simple conditional statement that the size parameter isn’t more than the strings actual size.  Around 500,000 servers, which make up about 17% of SSL web servers.

According To Bloomberg news, the NSA has known about this bug for a while and chose not to make it public in order for them to use it.  The NSA has denied these allegations.

sources:

a usefull picture: http://en.wikipedia.org/wiki/File:Heartbleed_bug_explained.svg

http://en.wikipedia.org/wiki/Heartbleed#Appearance

http://en.wikipedia.org/wiki/OpenSSL

http://en.wikipedia.org/wiki/OSI_model

http://en.wikipedia.org/wiki/OSI_model#Layer_4:_transport_layer

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Advertisements

5 thoughts on “Heartbleed

  1. Once again, the severity of the issue must be presented more intensely to the public.

  2. In regards to the NSA possibly knowing about this, I would not be surprised if they did know about it but decided not to go public with it. I am not someone who believes the NSA is stalking everyone but I would not be surprised if they knew about heartbleed before everyone else.

  3. Regardless of whether they were using it or not, if it’s been known about for this long it should have been fixed. It’s a severe security risk.

  4. thats just it, its been out for so long and they hardly have a fix for it and a faction of the population is unaware or doesnt understand too care, so hey who said they wast trying to fix the problem as well as exploit it while its there

  5. It’s amazing how long this exploit was out before anyone caught onto it. Furthermore, it’s amazing how long it took officials to find out about it. It’s easy to get comfortable with the internet today, but this is pretty jarring knowing that much of the web is not secure.

Comments are closed.