If you’re one of those people who’ve always believed that open source cryptography is the most secure way to communicate online, you’re in for a bit of a surprise.
This week, Neel Mehta, a member of Google’s security team, informed the development team at OpenSSL that an exploit exists with OpenSSL’s “heartbeat” feature. Google discovered the bug when working with security firm Codenomicon to try and hack its own servers. Following Google’s notification, on April 7th, the OpenSSL team released their own Security Advisory along with an emergency patch for the bug.
The bug has already been given the nickname “Heartbleed” by security analysts, because it utilizes OpenSSL’s “heartbeat” feature to trick a system running OpenSSL into revealing sensitive information that may be stored in system memory. While much of the information stored in memory may not have much value to hackers, the gem would be capturing the very keys that the system uses to encrypt communications.
Once the keys are obtained, hackers can then decrypt communications and capture sensitive information like passwords, credit card numbers and more. The only requirement to obtain those sensitive keys is to consume the encrypted data from the server long enough to capture the keys. The attack is undetectable and untraceable.
The OpenSSL Heartbeat Bug
The ramifications from this security flaw are huge. OpenSSL was first established in December of 2011, and it quickly became a cryptographic library used by companies and organizations all around the Internet to encrypt sensitive information and communications. It is the encryption utilized by the Apache web server, which nearly half of all websites on the Internet are built upon.
According to the OpenSSL team, the security hole comes from a software flaw.
“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.”
Without leaving any trace on server logs, hackers could exploit this weakness to obtain encrypted data from some of the most sensitive servers on the Internet, like bank web servers, credit card company servers, bill payment websites, and more.
The likelihood of hackers obtaining the secret keys remains in question though, because Adam Langley, a Google security expert, posted to his Twitter stream that his own testing did not turn up anything as sensitive as secret encryption keys.
It its Security Advisory on April 7th, the OpenSSL team recommended an immediate upgrade, and an alternative fix for server administrators who can not upgrade.
“Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.”
Due to the proliferation of OpenSSL throughout the Internet over the last two years, the likelihood of the Google announcement leading to impending attacks is fairly high. However, the impact of those attacks can be mitigated by as many server administrators and security managers upgrading their company systems to OpenSSL 1.0.1g as soon as possible.