All That You Need To Know About Heartbleed Bug And Its Threats

The Heartbleed bug, an encryption flaw, is being considered as one of the biggest security threats that Internet has ever witnessed. The bug puts users’ passwords in many popular websites at risk and this applies to popular websites we use including Facebook and Gmail. What makes this bug deadly is the fact that it can quietly expose sensitive account information such as passwords and credit card numbers of over the past two years. If the figure of Netcraft is to be believed, more than 500,000 websites could be attacked by this bug.

Heartbleed

Photo credit :http://goo.gl/0UIJUW

let’s delve a bit deep in to the issue -

What is Heartbleed?

Heartbleed is a security breach in OpenSSL software which empowers a hacker to trespass data servers’ memory. This means sensitive set of data of the users which include user id, passwords, credit card details are potentially risked of being intercepted.The hacker can also breach through the server’s digital keys that encrypt communications and access a company’s confidential internal documents.

What is OpenSSL?

Let’s talk about SSL first. SSL is the abbreviation of Secure Sockets Layer. It is known as Transport Layer Security or TLS. SSL is the most basic way information is encrypted on the web, and it eliminates the risk of someone spying on your log-ins as you browse the web. For instance, you would notice “https” instead of “http” in the URL of SSL-enabled websites like Gmail.

OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 to 1.0.1f. OpenSSL is also used as a part of the Linux OS and as a component of Nginx and Apache, two very widely used programs for running websites. The use of OpenSSL across the Web is huge.

Who found out the Heartbleed bug?

The credit of discovering the bug goes to a Finnish security firm Codenomicon and Google engineer Neel Mehta. Codenomicon and Neel Mehta found out the bug independently, but they did that on the same day.

Why the bug is named as Heartbleed?

The term “Heartbleed” was coined by a systems administrator at Codenomicon, Ossi Herrala. The name is basically a tweak of an extension on OpenSSL termed “heartbeat”. According to David Chartier, chief executive of Codenomicon, “Herrala thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory…”.

Who was behind the bug?

OpenSSL being an open-source project, it’s unfair to blame one person. Robbin Seggelmann, the German computer programmer however opined that he is “responsible for the error” and said he “missed the necessary validation by an oversight” while writing the code.

How to trace whether anyone has used Heartbleed vulnerability to steal user information?

Codenomicon states that exploiting the Heartbleed bug leaves but any trace of peculiar happening to the logs of websites.

A Final Note:

Although there is no comprehensive list of the sites that have been affected some companies have taken prompt action to update their servers with a security patch to get the issue fixed which means the users would have to change their password used for these sites.

However, that does not guarantee that the information is not already compromised. It’s just that the Internet companies are asking the users to change their passwords as a precautionary measure.

Changing the passwords regularly is always good practice, if a site or service hasn’t yet patched the problem, user information will still be vulnerable.

If the same password is repeated on multiple sites and one of those sites becomes vulnerable to the bug, users will have to change the password everywhere.

Comments are closed.