The so-called Heartbleed bug is a serious flaw in some versions of popular, open-source security software used to protect encrypted data like passwords or payment card information during online transactions. Heartbleed was announced on April 7, and may have affected two-thirds of web servers worldwide, including online merchants large and small.
In the worst of cases, this Internet security flaw implies that online retailers, who were doing everything right and required to protect customer data, may have still been exposing sensitive information to nearly any hacker.
What Is the Heartbleed Bug?
The Heartbleed bug is a coding flaw in versions 1.0.1 through 1.0.1f of OpenSSL, which is an open-source, commercial-grade development toolkit and library used to implement the secure socket layer (SSL) and transport layer security (TLS) protocols.
Heartbeat is an extension to the TLS protocol that allows a server and a client (a web browser for instance) to maintain an open connection when no data is being transferred back and forth. Without getting too technical, the Heartbeat extension works by having one party — the web browser as an example — send a random message with a payload (content) of some number of bytes. The other party — the web server in this example — is supposed to reply with a mirrored message of the same number of bytes. Unfortunately, the line of code that is supposed to confirm that the message payloads matched was simply missing in the aforementioned versions of OpenSSL. Essentially, any properly formed message could get a response from the server. Thus, information is bleeding, if you will, from the heartbeat, giving us the Heartbleed bug.
“The problem is fairly simple,” wrote Matthew Green, a cryptographer and research at Johns Hopkins University in his excellent description of the Heartbleed bug. “There’s a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain (a) long-term server private keys, (b) TLS session keys, (c) confidential data like passwords, (d) session ticket keys.”
“Any of the above may allow an attacker to decrypt ongoing TLS sessions or steal useful information” wrote Green. “However item (a) above is by far the worst, since an attacker who obtains the server’s main private keys can potentially decrypt past sessions (if made using the [non-perfect forward secrecy RSA] handshake) or impersonate the server going forward. Worst of all, the exploit leaves no trace.”
Since the Heartbleed bug could be used to both intercept encrypted communication and request “a relatively large slice” of server memory, it is actually worse than if a server had not been using encryption.
Finally, versions of OpenSSL with the missing code have been around since 2011.
Why Online Retailers Should be Concerned about Heartbleed
The Heartbleed bug means that even merchants that adhered perfectly to the Payment Card Industry Digital Security Standard (PCI DSS) and took every prudent precaution to protect customer’s private information or payment card numbers may still have been vulnerable. Even some exclusively brick-and-mortar retailers could have been vulnerable.
The bottom line is that customer’s private information and payment card numbers are at risk and every merchant should seek to protect customers.
How Merchants Can Protect Customer Data from Heartbleed
Retailers, particularly online sellers, need to take a few of steps to protect customers from the Heartbleed bug.
First, ensure that if your web server was running one of the vulnerable versions of OpenSSL, that it is updated, patched, or recompiled without the heartbeat extension immediately. This will remove the security threat moving forward.
Unfortunately, since there is really no way to know whether or not a particular web server was already compromised, meaning that some hacker or hackers already has the web server’s private keys, retailers will need to revoke and replace SSL certificates once they are certain that the server is running a secure version of OpenSSL.
Finally, it may be a good idea to reset user passwords, since if a server was already compromised the bad guys and gals could already have users’ current passwords.
How to Protect Your Business from Heartbleed Hackers
Given the scope and risk associated with the Heartbleed bug, it is a very good idea to change passwords for most, if not all, important business accounts. This is especially true for banking passwords.
Heartbleed-related Articles and Resources
The Heartbleed Bug website from Codenomicon.
Mathew Ingram’s article, “Here’s everything you need to know about the Heartbleed web security flaw,” on Gigaom.
Matthew Green’s “Attack of the Week: OpenSSL Heartbleed.”
Jack Phillip’s “Heartbleed Bug Imperials Web Encryption; Passwords, Credit Card Numbers at Risk,” in Epoch Times.
James Lyne’s “Heartbeat Heartbleed Breaks Worldwide Internet Security Again” from Forbes.
John Biggs’ article, “Heartbleed, the First Security Bug with a Cool Logo,” on TechCrunch.
Sean Gallagher’s post, “Heartbleed vulnerability may have been exploited months before patch,” from Ars Technica.
Danny Yadron’s Wall Street Journal article, “Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data.”
Paul Ducklin’s post, “Heartbleed – heartache should you REALLY change your passwords right away?” on the Naked Security blog.