How The Heartbleed Bug Is Causing Heartache To The World Of Internet
Ever noticed the green lock that turns up to the extreme left of your browser when you access certain sites? That lock is used to denote the fact that the data that is sent between the server you’re accessing and your computer, is encrypted, and therefore believed to be safe. That’s ironic because it turns out that the method that we trusted to secure our most sensitive data online actually has a chink in its armour. The internet has been brought to its knees by what’s called the “heartbleed bug” a name for the security shortfall that isn’t as arbitrary as it may first sound. Heartbleed Bug is causing heartache to internet users globally.
In order to understand why the heartbleed bug has sent chills down the spines of security experts of the biggest websites on the world, we need to understand how the internet works, or at least the part of it that deals with security.
So it all has to do with the client-server model that the internet is based on. When you access a webpage, what you’re basically doing is viewing a file that is on someone else’s computer. Now over the years, the internet advanced and those that made decisions regarding how it works realized that certain changes needed to be made.
Say, for example, you want to access your personal Facebook profile. That’s a page that exists on Facebook’s servers and you can request to see it when you wish. But what if someone else wants to also view your private Facebook profile? That isn’t something you’d want and to prevent this from happening, passwords are used. But what certain more persistent hackers would do is get between your computer and the Facebook server while you were sending it your password, and steal it. This is where encryption comes in. What encryption does is it turns your password into gibberish-like code and only the server knows how to decode it.
OpenSSL is a popular implementation of the SSL protocol that is used to encrypt online interactions. Popular is an understatement. Everyone from the biggest companies like Google to your local grocer’s ecommerce website usesOpenSSL. In, fact 2/3rds of all the websites on the internet have adopted the implementation. But we found out recently that OpenSSL is susceptible to attack and some of our most personal information may be jeopardized.
What makes the OpenSSL software susceptible is a certain method that was developed for servers to poll their client. The SSL protocol has an extension known as the “heartbeat.” This extension allows you to keep an SSL session running even if data hasn’t flowed back and forth in a while. This was done because reestablishing the session and getting existing data in place took too much effort. So servers on the internet use a heartbeat request to find out if a peer is still there on the other side.
A heartbeat request basically consists of two parts- a payload, which is the data that is being sent, and metadata, which is information about the data, specifically its size. The response to a heartbeat request is basically the same payload information and some padding.
Now what attackers do is craft a special heartbeat request. It’s special in that they create a payload of very small size. But in the metadata regarding the payload, they lie about its size and making it seem like it is much bigger. So say a heartbeat request consists of a payload that is one byte in size. The malicious request will inform the server that the payload is larger, say 50,000 bytes. The problem with the OpenSSL software is that it doesn’t validate if the payload and its size corroborate. As a result, when it replies, it sends back the payload, and another 44,999 bytes of memory (as per our assumed values) which were supposed to be secure and not revealed to anyone.
The problem is exacerbated by the fact that hackers can exploit the flaw without leaving a trace. So your website can be exploited and you may not have a clue until things start to go very wrong. The good news is that most major websites did find out pretty early and took necessary precautions, which was to upgrade the OpenSSL version they were using. So the next time you yawn sarcastically when you’re reminded to change passwords regularly, remember, doing it can save you a world of “heartbleed.”