A bug present for two years in a significant fraction of the web’s servers has potentially exposed sensitive information to everyone and anyone.

On April 8th 2014, news started to spread that a critical security flaw had been discovered in software used to secure our connections with online banking, shopping websites, credit card transactions and anything else taking place over the internet with standard security protocols. The bug, later known as the ‘Heartbleed vulnerability’, affected a piece of software called OpenSSL. This is an integral part of the toolchain used to secure information transfer between websites and your browser. OpenSSL is a technology developed by a distributed set of developers, some freely donating their time and some working on behalf of companies donating their staff time. It is an ubiquitous part of widely used operating systems based on technology called UNIX, and these systems make up an overwhelmingly large proportion of the Internet’s servers.

Early estimates indicated that perhaps up to two thirds of the web’s servers could have been affected by the bug ¹. The well-known security researcher Bruce Schneier, writing in his blog shortly after the news of the bug, said that the bug was “catastrophic”, and added that “on the scale of 1 to 10, this is an 11” ². From logs of changes to OpenSSL available to the public, it is possible to conclude that the bug was inserted as part of changes made by a volunteer approximately two years ago. This in theory means that government agencies and other eavesdroppers could have been exploiting it ever since.

Severity

The bug is severe for a number of reasons. The software in which it occurred is so widely used that almost everyone, from the biggest companies to the occasional email-checking grandma, will be affected whether they know it or not. The bug can affect not only desktops, laptops and servers, but smartphones too ³. Compounding that, the bug is almost undetectable in that a successful exploit of the bug leaves almost no trace on most affected machines. Finally, the nature of the bug means that root certificates—special combinations of numbers and letters used by banks, shopping and email sites and anyone else that wishes to prove who they are online—could have been the victim of this memory snooping. With a root certificate, a malicious user can assume the identity of the certificate’s owner and wreak havoc. An attacker with control over a bank’s root certificate could defraud millions of customers.

Origin and Mechanism

The origin of the bug appears to have been an honest mistake by a student volunteer named Robin Seggelmann. Seggelmann was implementing a new feature to OpenSSL called ‘Heartbeat’, something which he designed and published as an IETF (the Internet Engineering Task Force, a group dedicated to promoting standardised Internet communication protocols) standard along with two other co-authors ⁴.

Communication across the web typically involves a client, such as a user’s web browser, and a server, such as the machine a website runs on. Some websites, such as those run by banks and email providers, offer additional security beyond a username and password. For communication between the two parties to be secure as it takes place across the web, messages are encrypted – for instance, by using a password agreed between your browser and a web server. A commonly used method involves OpenSSL. After a secure connection between a client and a server has been established using OpenSSL (a process which can take a little while), the Heartbeat feature allows the client to keep the connection open by sending a message to the server asking for a response – a ‘heartbeat’. This tells the server to keep the connection open and await further instructions, to avoid a lengthy renegotiation of a secure connection. The first party also sends a number representing the length of the message they have sent, to help the server verify the message hasn’t been corrupted during its travel across the web. Part of the way the server then acknowledges it is alive is to repeat the message it has received back to the other party. However, a bug in Heartbeat, colloquially known as ‘Heartbleed’, allows the client to specify any number as the length of their message, whereby the server will reply with that number of characters from its memory. This is a serious flaw, as a server’s memory is not normally publically accessible and as such can contain information which should not be available to the general public. Anything that is part of a task running on the server, such as a root certificate or a user’s email address, password or credit card number, could possibly be part of the server’s memory and accessible via the Heartbleed vulnerability.

Seggelmann has denied that the bug was inserted deliberately, and said it was an honest mistake ⁵. Good programming practice would be to check that the length specified in the client’s message is valid, in that it matches the length of the message they have sent. Since Seggelmann’s code didn’t do this, it could allow malicious users to send short messages to the server claiming they were large messages, thereby making the server reply with not only the original messages but also the contents of the memory near the messages.

To test the possible consequences of the vulnerability, the cloud computing company CloudFlare set up a server running the affected version of OpenSSL and asked the public to find out the server’s root certificate number (information normally kept private). Only hours after the competition started, the private number was successfully accessed, proving that it was indeed possible to steal sensitive information via this method ⁶.

Impact

The bug was considered severe enough to reach mainstream news outlets. Although it was possible for the general public to grasp the consequences of the bug, misinformation was rife as to what actions, if any, the public should take with regards to their online security. Advice for users to reset all passwords was given in error, since this measure is only effective if websites have been patched. Changing a password on an unpatched site could in theory make it even easier for an attacker to steal a user’s information.

The main work burden after the bug was discovered was on websites and organisations using OpenSSL to patch their servers. Some of the World Wide Web’s largest sites remained unpatched for days, leaving their servers exposed to attackers. The popular website Mumsnet was hacked using the Heartbleed vulnerability three days after the information was made public ⁷. Others, such as Google and CloudFlare, received news of the bug before the general public and had already taken preventative measures by April 8th.

After a handful of days most major websites had patched their servers. The public started to ask if this vulnerability had been exploited in the two years between its introduction and its revelation. The Electronic Frontier Foundation, an organisation dedicated to maintaining and enhancing online freedom, published an article suggesting that the Heartbleed vulnerability could indeed have been exploited months before the public announcement ⁸. Chillingly, the evidence suggests that a government organisation could have been monitoring online chat rooms. Whether or not intelligence agencies or malicious individuals could have known about the bug and exploited it beforehand, it is clear that in the time between the public announcement and major websites being patched, it would have been easy for anyone with limited programming ability to steal information stored in servers’ memories. Indeed, an arrest was made in Canada later in April of an individual who had hacked into a government website. Information gained by agencies or individuals could well have been stored for analysis in the future, which reinforces the advice for the public to change their passwords on patched or unaffected services.

Image Credit: XKCD via WikiCommons ( License )

Catastrophic security flaw ‘Heartbleed’ affects 60% of the World Wide Web’s servers by Sean Leavey was specialist edited by Matthew Bluteau and copy edited by Jessica Bownes, Barry Robertson and Charlie Stamenova

1. Read about it here. 
2. Read the article here. 
3. BBC article on the topic. 
4. Read the article here. 
5. Read about it in the Sydney Morning Herald. 
6. Article from Engadget. 
7. Read about it as it happened. 
8. Read it here.