Keeping user data secure is one of the biggest challenges in running a large website. Over the years, standards have been created and best practices have been put in place to help with that security. But sometimes, even when you follow all the guidelines and do your best to make sure your website and servers are secure, something unexpected happens. On April 7th, 2014 a major exploit was found in the most used SSL/TLS library in the world. This means that over 66% of websites – including banks, social media, and maybe even your website – were put at risk.
How SSL/TLS are used in the web
When navigating around the web you may notice that a web address generally begins with one of two things: http or https. Those letters specify the protocol for how data is transmitted between your web browser and the website. If you see “http” then the data transmitted between your web browser and the site is not encrypted; it is sent in plaintext. This means that a hacker does not have to put in any extra effort in order to read your data. Once he has access to the data the attack is done. “Https,” on the other hand, secures the data by encrypting it. This way if a hacker gets access to the data being sent between your web browser and the server, he still has to figure out how to decrypt it. This is usually harder than getting the data in the first place. That is why sites like Bank Of America and Facebook use https and not http. They want to make sure your data is safe from prying eyes.
If you want to learn more about how “https” keeps your data secure then you can look at the asymmetric key encryption explanation in our previous blog post.
In order to keep your data secure companies need to use a program or library that can encrypt and decrypt your data. One of the most popular applications that does this is called OpenSSL. It was built and maintained by a very small team and is used by most of the internet.
After its creation in 1998, this is the second time a major issue has appeared. In the software world, that is an amazing track record. Even better is that the first problem was not the fault of the OpenSSL team. The bug was caused by a third party who made modifications to the program and then released it.
On March 14, 2012, a new major version of OpenSSL was released. In this version, a piece of code written on December 31, 2011 was released to the public. This code was for the “heartbeat protocol.” This protocol allows an application or server to send data to another server and have the data sent back to them. Normally, this is helpful for monitoring the status of a service. When making this status request, one is expected to send both the data, as well as the size of the data, in order to validate the request. If the size variable sent doesn’t match the actual size of the data, one would expect the server to provide an error and prevent this possibly false request from going through. However, in this bug, a malicious user could make a request saying that the data is exceedingly large, and in turn the server would provide a similarly sized response, regardless of the mismatched sizing. In short, if the server remains unpatched, it remains completely open to invisible attacks.
Why is this a problem?
In order to perform general operations like the transfer of data, a computer stores data temporarily in memory. The data stored in memory doesn’t get cleared out until the memory is needed for something else. This is generally standard procedure, but combined with this new exploit it can cause serious security concerns. Malicious users are able to use this vulnerability to request all the data your server currently has in memory completely unencrypted. This information could include all sorts of email addresses, passwords, or other details that may be found on the server. As if that isn’t enough, there is no way of detecting whether or not this information has been stolen. If the server remains un-patched, it remains completely open to these invisible attacks
What can you do?
Many companies have updated their servers to make sure that they are no longer affected; but some still haven’t. While it is currently impossible to tell if a company was actually compromised, it is possible that many were vulnerable, and some still remain so right now (including some major financial institutions).
Users, we recommend that you:
- Double check a site’s current security status before using it (you can check using this site: http://filippo.io/Heartbleed/)
- Change all of your passwords
- Over the next few weeks watch your bank accounts and personal information to see if it looks like anything has been compromised
Businesses and server hosts, we recommend that you:
- Implement the new SSL patches
- Check out http://heartbleed.com/ for more technical information