On April 7, 2014 a major security bug “Heartbleed” was the hot topic till now. This is a bug in open-source cryptography library OpenSSL. This bug allows you to read the memory of a server or a client. Due to this bug more than half a million websites affected all over the world. Using this bug the attacker can steal the passwords and personal information’s. I have made this tutorial to understand about this bug, how to prevent this, how to secure your data, etc., I have combined many things about the bug and used many websites as my reference. You can also check the source at the bottom of this post.
What is Heartbleed bug?
As I said early, Heartbleed is a bug based on OpenSSL, which attacks the website with older SSL certificates. The bug can able to retrieve the private keys of the SSL certificates from the websites.It was announced that OpenSSL 1.0.2-beta, as well as all versions of OpenSSL in the 1.0.1 series except 1.0.1g had a severe memory handling bug in their implementation of the Transport Layer Security (TLS) Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application’s memory with every heartbeat. Its CVE number is CVE-2014-0160. Using this bug attackers could reach sensitive data and compromising the security of the server and its users.
Origin of Heartbleed Name:
Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and vice versa.
Founder of this Bug :
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team.
What is the CVE-2014-0160?
CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.
What is OpenSSL?
OpenSSL is a open source toolkit, which is used to implement Secure Sockets Layer (SSL) and Transport Layer Security (TLS). SSL certificates are enabled in almost all the websites for a secured connections. Mostly you can see all the bank websites, mail websites and the sites having user login are all using SSL.
SSL Enabled Sites:
In simple, what I can use to identify the site enabled with SSL or not. You can see the https:// . Hypertext Transfer Protocol Secure (HTTPS) is a secure communication protocol. This is nothing but adding the security capabilities of SSL/TLS to standard HTTP communications.
What type of data can be steal with this bug?
4 types of major categories secrets can be comprised with this bug.
- Primary Key Material – These are related to the encryption keys.
- Secondary Key Material – These are nothing but user credentials(usernames and passwords)
- Protected Content – Personal or financial data’s.
- Collateral – Other Memory Contents
What versions of the OpenSSL are affected with Heartbleed bug?
- OpenSSL 1.0.2-beta
- OpenSSL 1.0.1 – OpenSSL 1.0.1f
- OpenSSL 1.0.2-beta2 (upcoming)
- OpenSSL 1.0.1g
- OpenSSL 1.0.0 (and 1.0.0 branch releases)
- OpenSSL 0.9.8 (and 0.9.8 branch releases)
Bug was introduced to OpenSSL protocol in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <firstname.lastname@example.org> and Bodo Moeller <email@example.com> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
How to Prevent My site data from the leak?
Website owners using OpenSSL in their websites can update their SSL with the new version, which is released as a fix for this bug.
Preventive Measures :
Please change the passwords of your bank accounts and mails. Even though the major websites are in process of updating their OpenSSL, better the users can change their passwords.
How to Check whether my site is vulnerable to this bug or not?
You can check this in a minute of time. Password manager LastPass adds a Heartbleed bug vulnerability scan to its site security check. LastPass’s Security Check tells you which sites have updated their certificates, and whether you need to change your password for that site.
Steps to Check :
1. Navigate to http://lastpass.com/heartbleed/
2. Enter the name of the website in the text box and hit “See if this site is Vulnerable to Heartbleed”.
3. This will display the result.
Note : This tool is to check the websites having SSL(https).
With this tool, you can also check whether the SSL new version was updated to any site or not by entering the concerned website name.
Major websites are updating their SSL to the new version, which is consider as the temporary fix to stop the leaks. I recommend you to change the password of your accounts of major banks, mails accounts and etc.,
Share your views about the “HeartBleed” bug.