Much has already been written about the infamous Heartbleed vulnerability (CVE-2014-0160), the best technical piece being on Cloudflare’s blog. Unfortunately, as always in such cases, there has also been a lot of junk spewed out causing undue panic amongst the masses. A glaring example of this was a recent article in a well-known Indian daily newspaper reprehensibly titled the “Heartbleed Virus”, at which point one ought to stop reading the article.
Heartbleed is NOT a virus! It cannot spread from machine to machine, from device to device, and it cannot directly damage your computer. That is not to say that Heartbleed is not a serious issue. It is! Rather, the gravity of the situation very much depends on who you are. If you are an average individual surfing the internet on your home computer, one could argue that Heartbleed is unlikely to affect you very much. We must perforce qualify this opinion.
Heartbleed is a vulnerability in the OpenSSL library, which is used to encrypt vast amounts of internet traffic to protect it from being snooped upon, unless the NSA is involved that is. The SSL/TLS protocols use Public Key Infrastructure (PKI) which is a proven technology for achieving Pretty Good Privacy, and hence is ubiquitous on the internet. Heartbleed, by potentially allowing the exposure of private keys on a secure webserver to a remote attacker, threatens the integrity of PKI-protected communication over a network. One could picture a heavily-reinforced steel vault, with the master key visible under the door mat outside.
It would be entities such as corporates, governments, etc, that have webservers using a vulnerable version of OpenSSL that are most at risk of potentially revealing critical confidential data, especially private keys. If you are such an entity we urge you to upgrade your version of OpenSSL immediately, and make a call on revoking and reissuing your private keys. Unfortunately attempted exploitation of Heartbleed does not necessarily leave evidence behind, and the nature of the vulnerability is such that it may be virtually impossible to tell what, if any, data has been leaked. Note, the vulnerability itself has been around for a couple of years before its discovery.
Let us now address the risk posed to the individual surfer. Although there is indeed some risk of your password and other data being leaked from some website you have logged into if the server hosting the site was being targeted, the chances are rather slim. This is because successful Heartbleed exploitation tends to reveal only ephemeral data, and on a webserver hosting a popular site with several concurrent logged-in sessions, especially one where the average individual logs out after visiting the page (assuming this frees up the session resources on the server for the next user), the probability of leaking confidential data, and that too data specifically pertaining to you, is low. Notwithstanding, to be on the safe side, you may yet wish to change your passwords if the site in question has admitted to being vulnerable earlier and has since patched the flaw. After all, based on GitHub’s advice, we in the Taggant Library Maintenance Committee (part of the IEEE Anti-Malware Support Service) did change our passwords for the following repository:
In addition client-side devices, including those running certain versions of Android (reportedly 4.1.0 and 4.1.1), could also be vulnerable to Heartbleed-based data leakage, and ought to be patched ASAP, even though exploitation on the client side is an even more remote possibility.
Images courtesy of:
Senior Manager, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: