heartbleed
OpenSSL is the most popular open source cryptographic library and SSL/TLS implementation used for encryption including for the traffic on the internet. OpenSSL has a module called heartbeat, which is responsible for the synchronization between two entities, say two servers on the internet. Heartbeat is the way for a computer to be sure the other is still up and running so that if there is no heartbeat, it does not communicate further with the dead/unavailable computer.
Since the vulnerability is found in the heartbeat module it got its name “Heartbleed”. The problem is caused due to a very small piece of code:
memcpy(bp, pl, payload); //copy data of size payload from p1 to pb
bp is a place on the server computer, pl is where the actual data the client sent as a heartbeat is, and payload is a number that says how big pl is. It works unless payload value is maliciously lower than actual. If payload value is passed as 128 KB when it is really supposed to be 0 KB, memcpy earmarks a 128 KB-sized memory at bp that contains some data, supposed to be overwritten and hence erased. But in this case none of the old data at bp gets overwritten, because there is nothing to replace it since pl is actually empty. The data was sitting in bp prior to the heartbeat, gets passed back to the client. This data could contain private keys, passwords or other sensitive information.
This is not the first such problem or breach, but the potential impact is huge, perhaps bigger and more widespread than any other similar vulnerability. The heartbleed has exposed many private keys, the secrecy of which forms the very foundation of Asymmetric encryption used by SSL/TLS.
What it means to internet users – Google and Facebook have announced that their users and services were not impacted. Yet users were advised to change passwords as a precaution. Such vulnerabilities remind us that in security nothing can be taken for granted and any assumptions of fool proof security can be dangerous. What is secure today can and will be broken tomorrow.
References:
1. Heartbleed.com
2. Existentialize.com
Beginners guide to terms used:
OpenSSL
SSL/TLS
Now I understand how heartbleed works !!! Since it effects OpenSSL, it obviously will have a severe impact on internet security.
Waiting for more security alerts (Y)
Go to https://filippo.io/Heartbleed/ to validate whether website you are interested in is vulnerable
Very good explanation. It had caused severe alerts on nations critical infrastructure such as electricity and natural gas systems.