Internet Security

Massive Bug in OpenSSL Puts Much of Internet At Risk

Ryan Dube 09-04-2014

If you’re one of those people who’ve always believed that open source cryptography is the most secure way to communicate online, you’re in for a bit of a surprise.


This week, Neel Mehta, a member of Google’s security team, informed the development team at OpenSSL that an exploit exists with OpenSSL’s “heartbeat” feature. Google discovered the bug when working with security firm Codenomicon to try and hack its own servers. Following Google’s notification, on April 7th, the OpenSSL team released their own Security Advisory along with an emergency patch for the bug.

The bug has already been given the nickname “Heartbleed” by security analysts Security Expert Bruce Schneier On Passwords, Privacy and Trust Learn more about security and privacy in our interview with security expert Bruce Schneier. Read More , because it utilizes OpenSSL’s “heartbeat” feature to trick a system running OpenSSL into revealing sensitive information that may be stored in system memory. While much of the information stored in memory may not have much value to hackers, the gem would be capturing the very keys that the system uses to encrypt communications 5 Ways to Securely Encrypt Your Files in the Cloud Your files may be encrypted in transit and on the cloud provider’s servers, but the cloud storage company can decrypt them -- and anyone that gets access to your account can view the files. Client-side... Read More .

Once the keys are obtained, hackers can then decrypt communications and capture sensitive information like passwords, credit card numbers and more. The only requirement to obtain those sensitive keys is to consume the encrypted data from the server long enough to capture the keys. The attack is undetectable and untraceable.

The OpenSSL Heartbeat Bug

The ramifications from this security flaw are huge. OpenSSL was first established in December of 2011, and it quickly became a cryptographic library used by companies and organizations all around the Internet to encrypt sensitive information and communications. It is the encryption utilized by the Apache web server, which nearly half of all websites on the Internet are built upon.

According to the OpenSSL team, the security hole comes from a software flaw.


“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.”

Without leaving any trace on server logs, hackers could exploit this weakness to obtain encrypted data from some of the most sensitive servers on the Internet, like bank web servers, credit card company servers, bill payment websites, and more.

The likelihood of hackers obtaining the secret keys remains in question though, because Adam Langley, a Google security expert, posted to his Twitter stream that his own testing did not turn up anything as sensitive as secret encryption keys.

It its Security Advisory on April 7th, the OpenSSL team recommended an immediate upgrade, and an alternative fix for server administrators who can not upgrade.

“Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.”

Due to the proliferation of OpenSSL throughout the Internet over the last two years, the likelihood of the Google announcement leading to impending attacks is fairly high. However, the impact of those attacks can be mitigated by as many server administrators and security managers upgrading their company systems to OpenSSL 1.0.1g as soon as possible.


Source: OpenSSL

Related topics: Online Security, OpenSSL, Password, SSL.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Robert B
    April 10, 2014 at 5:51 pm

    "If you’re one of those people who’ve always believed that open source cryptography is the most secure way to communicate online, you’re in for a bit of a surprise."
    Ryan it appears that you are one of those anti open source trolls. No one has ever asserted that open source software was perfect! It s also apparent from information you include in your article "According to the OpenSSL team, the security hole comes from a software flaw." The problem has nothing to do at all with any of the cryptography algorithms used in OSS but a flaw in the software implantation of them which is easily fixed. The KEY advantage of OPEN SOURCE SOFTWARE is that there are thousands of developers world wide who have the freedom and who do look at the source code of various applications including the Linux OS, Apache etc who find these bugs and security holes. Had the internet been controlled heaven forbid by say a company like Microsuck then we probably would never ever hear of these nasty exploits caused by software bugs and it would take months for them to get around to patching them if ever. Instead of being so critical of open source you ought to be praising it because the whole idea behind OPEN SOURCE is actually working in the real world because developers who had the right to see the source code found some serious bugs and now they are already being patched! What I would personally be very concerned with is not ever hearing about anyone finding anything wrong with open source software because that would mean that people had stopped looking at the source code.

  2. dragonmouth
    April 9, 2014 at 10:56 pm

    This morning Debian Linux provided its users with a security update to fix this problem.

  3. Christian C
    April 9, 2014 at 9:05 pm
  4. TiagoTiago
    April 9, 2014 at 8:04 pm

    Any way as a user to detect whether a site is using the insecure version?