Encryption security bug Heartbleed affects two thirds of the Internet, including Yahoo
Millions of servers are affected by security vulnerability nicknamed “Heartbleed” in OpenSSL, software that encrypts the Internet. Even though an emergency patch has already been released, websites like Yahoo are going loud about fortifying their own security.
Monday afternoon, open SSL project released an urgent security note warning about Heartbleed, a vulnerability that pulls in encryption keys to the server, making use of exploits in the software, enabling operators to intercept data traffic or even impersonate the server itself.
Heartbleed enables attackers to pull 64k randomly from a specific server memory. The Verge compares it to fishing were perpetrators have no idea whether there will be any usable data in the haul, but they can perform it over and over again, and chances are they will intercept a lot of sensitive data. The particular target in the servers is private encryption keys because they are necessarily in the memory and are easy to identify among other data. This enables attackers to tap into the traffic to and from the server, and potentially decrypt past traffic stored in encrypted form.
About 66% of the Internet uses OpenSSL to encrypt data – passwords, user names and other sensitive information on secure websites. Websites have to install non-compromised and updated software to eliminate any possible exposure of their clients to the exploit. Millions of servers were exposed to Heartbleed.
International Computer Science Institute security researcher Nicholas Weaver said, “It is catastrophically bad, just a hugely damaging bug.”
Yahoo services may be the ones that have been affected worst of all by Heartbleed. The exploit turns out to be a two year old vulnerability, but only now it is gaining attention of public after Google researcher Neel Mehta detected it.
Yahoo had promptly updated its servers, “our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Finance Yahoo Food, Yahoo Tech, Yahoo Mail, as well as Sports, Flickr and tumblr) and we are working to implement the fix across the rest of our sites right now.”
As a result of the security vulnerability, Yahoo has been leaking user information for two years on end. All servers running OpenSSL on Ngnx or Apache are affected, making things look pretty ugly for a multitude of legitimate websites and services. According to the ArsTechnica, OpenSSL ships in a wide variety of OS and apps, including the Debian Wheezy, CENTOS, Fedora, Ubuntu, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux.
Microsoft, Apple and Google services, as well as major e-banking, hopefully, PayPal, do not appear to be affected.
Representatives of the Tor project, said in a statement, “If you want strong anonymity or privacy online, you might want to stay away from the Internet entirely for the next few days while things settle.”
Experts suggest that even patched servers may still be vulnerable since private keys could have been compromised before the patch was released. “I bet there will be a lot of vulnerable servers a year from now. This won’t get fixed,” said Weaver.
Affected websites will need new SSL certificates, which is an expensive luxury and a time-consuming procedure, yet it is absolutely necessary to purge Heartbleed. A safe SSL certificate shows the date when it was issued ever since the recent security patch was introduced.
It is advisable to change passwords on affected websites, but it won’t help much until the website security is properly bolstered.
“These are really subtle bugs. You might detect it if you ran it through a memory checker, but this is not the kind of thing that just shows up looking at the code,” says Weaver.
There are online tools that can test websites for Heartbleed vulnerability, but some susceptibilities remain, varying from site to site.
Very few services have published comprehensive guides for their users on what to do about Heartbleed. Individual servers will need to be fixed manually, and some websites may not be able to repair the bug for quite a long time from now. According to the Wire, we need to treat Heartbleed “on a site-by-site basis.”
Heartbleed appears to be a major threat both in the amount of affected computers and the severity of the exploit.