“The Heartbleed bug allows anyone on the internet to read the memory of systems protected by the vulnerable versions of the OpenSSL software”, notes a report from Finnish security firm Codenomicon, who along with Google was one of the two companies who revealed the vulnerability earlier this week. As the company explained, in practice, the vulnerability allows encrypted communications over the internet to be compromised.
“This compromises the secret keys used to identify the services providers and to encrypt the traffic, the names and passwords of the users, and the actual content”, Codenomicon wrote. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Put more simply, the vulnerability allows attackers to steal encryption keys from internet servers or the desktop software that uses OpenSSL software to manage an organization’s encrypted web traffic. Attackers can then use those stolen encryption keys to decrypt the data as it flows over the internet. Perhaps more concerning is even if vulnerable software is patched against the vulnerability, encrypted communications taken before the patches can still be decrypted via the stolen encryption keys.
So how big is the problem? According to the company’s report on the issue, over 66% of the active sites on the internet rely on web servers that use software deploying OpenSSL. As Joe DeMasy, a security analyst with Bishop Fox, explained, smaller organizations that run websites are more susceptible to Heartbleed, which he calls “a nasty vulnerability.”
Graeme Batsman, security director for EncSec, called Heartbleed “one of the most significant developments in the history of the security industry”, on par with the massive data breaches at Target, Sony, and TJ Maxx. “But whereas these were all incidents of a single company being breached”, he added, “OpenSSL Heartbleed has potentially affected millions of websites.”
The key word in this statement is “potentially”, as not all organizations that use open-source OpenSSL software will be affected. According to Jason Sabin, the senior VP of research and development at DigiCert – and himself an SSL expert – companies must first determine which versions of OpenSSL they are using, and whether they are among the vulnerable ones. Mark Brown, director of information security at EY, agrees, noting that companies using older versions of OpenSSL may actually be unaffected by the bug.
“While it may be tempting to throw the baby out with the bathwater and to undergo a wholesale security review at huge cost, businesses firstly need to verify whether their version of OpenSSL is impacted”, he said in a statement. “Although there are high-profile websites that are affected, given that the majority of businesses do not upgrade SSL certificates regularly, there are many who will be safe from the Heartbleed bug.”
Nevertheless, Brown asserted, “this vulnerability is a major blow for security on the internet.”