Rediff.com« Back to articlePrint this article

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

The latest bug threatening the Internet might just hit your computers too!

Internet is the most complicated man-made architecture and with passing time researchers have found so many vulnerabilities in it that Internet security altogether has spawned a whole new industry. And recently, the security researchers have discovered quite a serious breach or 'bug' in the OpenSSL library and have named it the 'Heartbleed' bug.

Why the name HeartBleed?

The HeartBeat Extension

This error/bug has basically appeared in the heartbeat extension, which is a small part of T.L.S protocol, while implementing OpenSSL.

If you find the description above as tediously technical, suffice it to say that the main aim of this extension is to check if the connection built between the source and the destination is active or not.

It does this by sending a small piece of data along with a number stating the size of the same and, in turn, the destination sends back the exact piece of data to confirm that the link is still active.

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

Then what goes wrong?

Unfortunately, when OpenSSL (the open-source library used by programmers to avoid implementing encryption protocols themselves) replies back, it does not look at the actual amount of the data sent, rather it takes note of the stated data and then send the exact amount of data back to the source.

Now here, if someone fiddles with this stated amount of data and puts a number more than the actual amount of data sent, the destination's reply will contain the sent data as well as the additional data, which is nothing but the contents drawn from computer's system memory.

This additional data is sent just to match the amount requested by the source.

This way this error allows the hacker to 'bleed' out the random information from the system memory just by asking it. Even worse is the fact that this 'Heartbeat' request or the number that is stated is not at all monitored or logged, which means if the hackers fiddle with it, there won't be any trail to catch them.

Reader Invite

Are you a gadget/gaming wizard/afficianado? Would you like to write on gadgets, gaming, the Internet, software technologies, OSs and the works for us? Send us a sample of your writing to gadgetsandgaming@rediffmail.com with the subject as 'I'm a tech wizard/afficianado' and we will get in touch with you.

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

What damages can this bug cause?

System memory basically receives login names, passwords, secure certificates and access tokens of all kinds.

Since system memory is temporary, which means that all this information gets erased when the computer shuts down and is re-written every time on booting up, it is considered safe to load such things in system memory only.

But with the Heartbleed bug, this faith is now shattered.

The hacker may keep on sending malicious heartbeat requests and since without a close analysis, there is hardly any chance that you can draw a line between a genuine and a fake heartbeat request. The victims will never even know that they have been targeted until they themselves spot that their private data somehow is no more private.

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

Moment of relief!

Though the dice has rolled and there is a high possibility of landing in the worst case scenario, there is a sigh of relief as well:

Worst case scenario says that criminal enterprises, intelligence agencies and state-sponsored hackers have known this bug for almost two years now and they have strategically used this loophole to access the encrypted data.

Further, 66 per cent of the web uses OpenSSL, thus making a fair portion of web super vulnerable to Heartbleed.

The best case scenario, on the other hand, says that the researchers who discovered this flaw are the first ones to expose this bug and this statement is just too good to be true!

Yet there is one major reason as to why you should not panic.

As soon as this bug was discovered, a new, secure version of OpenSSL was released, which basically updated almost all the affected servers.

Moreover, major services like Google and Yahoo have already developed patches for this bleed and are secure as ever. Basically the fix includes revoking and re-issuing identity certificates for servers and users, and even if this job is too tedious and laborious, it has to be done on urgent basis as almost 600,000 servers are still vulnerable to attack.

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

Is Android and iOS safe?

Oh yes! Google's security team clearly mentioned that except Android 4.1.1, all other versions of Android operating system are totally immune to this 'bleed' and the company is already distributing the patch for the affected version.

Google Cloud Platform and Google Search have already got rid of 'Heartbleed' bug and security engineers are now moving on to patch CloudSQL whose fixes can hit the net anytime now.

Apple too has passed on the statement that its operating systems and services like iOS, OS X, iTunes, iCloud, etc. are not affected by the 'Heartbleed' bug and are, thus, safe to use.

What is Heartbleed and the 6 things you MUST know about it

Last updated on: April 12, 2014 10:16 IST

What can you do on your part?

Well, there isn't much you can do about it because it is not much in your hands this time.

But to be safe one standard advice is to change your passwords often. However, at the same time this may also make you more vulnerable as the buig may be residing in the leaked chunk of the system memory. So changing passwords won't avoid the bleed until the site changes its infrastructure.

Wait for the confirmation from the site and then change your password as usual.

On a very large scale, it also depends on the website you are using and whether they have employed this new and secure version of OpenSSL or not.

If your service administrator alerts you to change your passwords, then without procrastinating do that immediately. In addition, try not to connect to less secure sites and services until this bleed is fixed or they notify you about their adopting the new version.

Or else, on every service, you can go and seek for the two-factor security option which asks more than just a password, thus ensuring an enhanced security.

There are some sites on net which provide you with the full list of the major sites that were affected by this bug and give answers to questions like whether or not those sites have received the patch and should you go for password change or not?

We all should remember one point that the base of our Internet employs open-source codes and is open to all to make updates and changes in it. Heartbleed is a critical bug that was found in a very small part of one protocol out of all the protocols.

So this is very clear that the heart of Internet has to be checked on-and-off to prevent sudden bleeds or ruptures.

Reader Invite

Are you a gadget/gaming wizard/afficianado? Would you like to write on gadgets, gaming, the Internet, software technologies, OSs and the works for us? Send us a sample of your writing to gadgetsandgaming@rediffmail.com with the subject as 'I'm a tech wizard/afficianado' and we will get in touch with you.