A lot has been said lately of Heartbleed since its announcement few days ago. However, as it goes with overload of information at times, media attention has managed to create mass confusion and hysteria on this topic. Hopefully this post will help answer some of your questions. Let’s try to break it down
The issue stems from a bug in OpenSSL’s implementation of TLS heartbeat extensions. While trying to optimize use of resources when decrypting/encrypting SSL traffic, programming mistake is claimed to have created this vulnerability. Such is nature of software development. Sometimes we don’t realize full effect of a change that seems to have desired effect we are trying to achieve. Certainly why holistic approach to secure coding should be paramount for any development projects.
While the vulnerability was made public recently, it has been out in wild since March of 2012 when OpenSSL 1.0.1 was released. OpenSSL versions 1.0.1 through 1.0.1f are affected. Versions prior to 1.0.1, OpenSSL 1.0.0/OpenSSL 0.9.8 are not affected. 1.0.1g released on 7th April 2014 isn’t affected either.
So take that 2 years between March 2012 and now, and let’s ask ourselves what was at stakes in those 2 years. The issue allowed attacker to read memory of the application/device running affected version of OpenSSL, allowing them to gain access to data from clients and to clients from that application/device. This included primary and secondary keys of SSL certificates used to encrypt data from client to server, and all the data that was in flight or in memory between client and server. This includes your passwords and any protected data users were sending to compromised services.
So where could these affected OpenSSL versions have been in use?
Since OpenSSL is the most popular open source crypto library and TLS implementation used for encryption, it reaches beyond secure websites to email servers, VPN concentrators, Load balancers and ADCs that may be used for SSL offload and bridging, even client side software that uses these extensions. Even in places you would tend to not look. Take Microsoft Lync client for an example. While it may not be affected by OpenSSL bug per this post from Microsoft, it was surprising to find that even some of Microsoft software was relying on this open source software!
Actions you can take
For an end user, find out if any of the services you have been using is impacted. There are many websites that can verify and report if the service are vulnerable. One of them is http://possible.lv/tools/hb. If you find out that your favorite banking portal or email service or the technology forum you visit regularly is affected, first thing you can do is stop using it and contact vendor to find out their plan to fix the vulnerability. There have been articles suggesting to immediately change your passwords, that’s the worst thing you can do. Reason being, if you change the password and the service hasn’t yet fixed the vulnerability, you are only providing new password out in the open. Whether someone is actively exploiting it or not is different story but would you take that chance? I wouldn’t!
For an IT Pro, architects, systems engineers, you should take a holistic look at your systems and find out what could be affected by this vulnerability. Reach out to vendors of each of those applications/devices and formulate strategy to apply fixes. It doesn’t end there however. You need to also replace all certificates that were in use during the exposure. This is important because what good are those certificates even if you fix the vulnerability? The attacker might have keys to the kingdom already unless you change the lock itself!
Lastly, as an organization affected by the vulnerability, you need to analyze what the impact was on your data and if secured data was compromised in any way. This might be more difficult as it has far reaching impact both financially and politically. But transparency is the best policy that goes long way in winning customer trust. Even if initial announcement of impact might look like bad news you want to avoid.
There is lot of good information available on http://heartbleed.com/ if you want to keep digging for more.