Heartbleed, OpenSSL and Perfect Forward Secrecy

If you want to know the quick and easy way to understand what Heartbleed is, How the Heartbleed Bug Works and what it means to you in very simple and elegant terms, there’s this wonderful xkcd cartoon today:

Heartbleed Explanation: How the Heartbleed Bug Works - xkcd.com - Click on image to go to the site to see it larger

Heartbleed Explanation: How the Heartbleed Bug Works – xkcd.com – Click on image to go to the site to see it larger

And that my friends is pretty much it in the nutshell.

Due to this ‘bug’ or what could be commonly called in days gone by as a type of buffer overflow condition causing leaking of information, sometimes serious and important information.

You will or at least you should be hearing from secure websites where you have made purchases and have accounts, as well as banks you use, and many more secure websites as they update their SSL Certificates.

Many have been working on this and many have already taken care of this on their servers.

Once it is taken care of, then you want to change your password but not before.

If the website was vulnerable, they should be contacting you, or when you login you will see a notice about it. Soundcloud.com was a good example. When I logged in today, they presented a banner across the top about the Heartbleed vulnerability.

When/If a secure website was vulnerable, they will be contacting you when they get this fixed on their website server, so you can change your password.

The sad thing is that this bug has been out there for at least 2 years!

Here’s a really good article about this in layman’s terms and there are several sites for testing supposedly secure websites for your banks, credit card companies, email, etc.:

Heartbleed OpenSSL Bug FAQ for Mac iPhone and iPad users – Intego.com Blog

What CERT and others are recommending to these websites that are vulnerable is to implement Perfect Forward Secrecy like StartPage.com and ixquick.com where they have this knowledge base article:
“Heartbleed” is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that permits eavesdropping on communications and access to sensitive data such as passwords. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions.StartPage’s vulnerability to this attack was limited, since we had implemented a more secure, upgraded form of SSL known as Perfect Forward Security (PFS) in July 2013. PFS is generally supported by most recent browser versions. Since PFS uses a different “per-session” encryption key for each data transfer, even if a site’s private SSL key is compromised, past communications are protected from retroactive decryption.

Security is a moving target, and we work hard to stay ahead of the curve. Immediately after the Heartbleed security advisory, StartPage’s encryption modules were updated and encryption certificates were changed.

In independent evaluation, StartPage and Ixquick outscore other search engines on encryption standards, earning an A+ rating. See Qualys’ SSL Labs evaluation of StartPage’s encryption features here:
https://www.ssllabs.com/ssltest/analyze.html?d=startpage.com&s=69.90.210.72

This problem is serious and needs to be addressed, but don’t panic. Secure websites that are vulnerable are working on the problem that was discovered this week.

Wait to hear from companies about whether they were vulnerable and that they have fixed the vulnerability on their secure webservers before changing any passwords.

Some good things to note, Apple and Microsoft have already notified that their services are not vulnerable. Here’s the Hit List from Mashable:

The Heartbleed Hit List: The Passwords You Need to Change Right Now – Mashable

Some big names that you might be happy to hear were not affected according to the Mashable article:

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

All the Google servers have been updated:

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that that we can fix software flaws before they are exploited.

More in the article.

More information on Heartbleed:

EDIT: Please check the comments for some additional links that are very helpful and informative about the Bleeding Hearts Club by EFF.org, the vulnerable routers from Cisco/Juniper Networks as well as some additional VPN  and other products. And some good news about 1Password.
About these ads

5 thoughts on “Heartbleed, OpenSSL and Perfect Forward Secrecy

  1. More info about the Cisco/Juniper Networks router fiasco from Heartbleed as well starting here at Scot’s Newsletter Forums:

    http://forums.scotsnewsletter.com/index.php?showtopic=69051&#entry394362

    Definitely wise to wait for the website to notify you that they have patched their server AND had their certificate updated.

    I went to Soundcloud and they actually were notifying people as they came to the site, Pinterest sent an email.

    They appear to be handling it differently.

    Some sites seem to be notifying you in email of cool stuff or new features on their website and when you to go to the site, they also let you know about the issue.

    Others are letting us know through website blogs, press releases, etc.

    Seems there is no clear cut way they are doing it.

    I would hope that banking institutions, credit card companies, other financial institutions for stock portfolios, etc. are being more straight forward and just emailing or sending a snailmail notification (not the preferred way by snailmail btw).

    I was notified by one company that yes, they were vulnerable and they fixed webserver, restarted it and then requested a new certificate, but they were also quick to say that because ‘your’ data is encrypted by keys the website does not hold (you hold the keys), the data was still safe. They also said they employ PFS.

    Also as noted in the blog posting, StartPage.com has been using PFS right along.

Comments are closed.