What is Heartbleed?
A serious filled vulnerability in the OpenSSL cryptographic library affects around 17.5% of SSL web servers which use certificates issued by trusted certificate authorities, as per a recent Netcraft survey. This accounts for around a half a million certificates. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server.
This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.
Please note that a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.
Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL’s git repository just before midnight on New Year’s Eve 2011.
OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
How to Protect Yourself from the Heartbleed Bug
First, check which sites are affected and identify the ones that you use. If you don’t want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a
Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.
Here are some websites that we recommend changing passwords for immediately:
|Website||Was it affected?||Is there a patch?||Do you need to change your password?|
|What Facebook Officials Said: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password.”|
|What Tumblr Officials Said: “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”|
|What Twitter Officials Said: Twitter has not yet responded to a request for comment.|
|What Google Officials Said: “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not. Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.|
|What Yahoo Officials Said: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.|
|What Gmail Officials Said: “We have assessed the SSL vulnerability and applied patches to key Google services.” Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.|
|What Yahoo Mail Officials Said: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.”|
|Amazon Web Services (for website operators)||Yes||Yes||Yes|
|What Amazon Officials Said: Most services were unaffected or Amazon was already able to apply mitigations. Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched.|
|What Dropbox Officials Said: On Twitter: “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”|
|What LastPass Officials Said: “Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”|
|What Wunderlist Officials Said: “You’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.”|
Lastly – as always – make sure to keep an eye on your sensitive online accounts, especially banking and email, for suspicious activity, especially for the next week or so.