On April 7, 2014 the Internet panicked. Passwords were no longer safe, banks no longer secure – the security that so many of us blindly put our trust in had been broken. With around half a million of the Internet’s web servers vulnerable to attack, Heartbleed became the most infamous computer bug in recent computer history. As such, we must ask ourselves: what is Heartbleed, why did it occur, and why is it such a big deal?
Heartbleed is a vulnerability in the OpenSSL cryptography software. The weakness caused by the bug allows the theft of information through the SSL/TLS encryption which secures the Internet. The bug originates from a process in this security called the Heartbeat. Heartbeats allow two computers that are communicating with each other to pass a small ‘beat’ of data back and forth to check for connectivity. For example, if Computer 1 sends a heartbeat to Computer 2 and Computer 2 does not respond, Computer 1 assumes Computer 2 is not there.
The Heartbleed bug occurs during this heartbeat interaction. During a heartbeat, the computer sends three pieces of information – the initial position of the data, the final position of the data and the size of the data. For example, computer 1 would take 4 MB of data and place it in an open 4 MB of data on Computer 2, and Computer 2 would do the same back. The bug arises when you lie about the size of the data you are sending. So if you have 4 MB of data, but you tell Computer 2 that you have 8 MB of data, Computer 2 will return you 8 MB of data – the 4 that you sent, and 4MB of its own data. Here’s the catch: the extra data could be anything from a collection of banking passwords to the security keys necessary to bring down an entire company. Any persistent hacker could continue to send heartbeat requests until they received a password or security key. The xkcd comic below demonstrates this process. Funnily enough, this bug was fixed the day it was discovered by simply changing the code to check to make sure the amount of data you say you’re sending is the same as what you actually are sending.
How did this disastrous bug occur? Surely the bug would have been caught by the rigorous testing standards set by those who secure the Internet. Robin Seggelmann, a German graduate student at the University of Muenster, was working on a research project at the University using the OpenSSL encryption library to release bug fixes and new features. On New Year’s Eve of 2011, Seggelman finished what would become the Heartbleed bug. The changes he made to the OpenSSL code were checked by a member of the OpenSSL development team and then added to the official OpenSSL code. Little did he know, these changes would cause a wave of panic amongst all Internet users three years later.
Why is the Heartbleed bug such a big deal? The problem comes down to the role of encryption. Nearly everything you do on the Internet is encrypted, and for good reason. The emails you send, the passwords you enter, the items you buy –all encrypted so that other people cannot see them. Heartbleed is a case in which our use of encryption is circumvented, and that’s why it is so significant. Someone affected by this bug has all the information that they are storing on the service compromised. While this bug did not affect every website, Instagram, Google, Gmail, Yahoo and Reddit are a few big names that were affected.
At the end of the day, the only thing average users really could do to protect themselves from the bug was to change all their passwords on the services they use after the bug had been patched. Heartbleed remains as a reminder that the Internet was created by humans, and is not infallible. Before putting too much trust in the online world, remember that someone could make a mistake that costs you your information.
References
[i] [Heartbleed Virus]. (n.d.). Retrieved from http://www.mulberrysquare.co.uk/blog/wp-content/uploads/2014/04/heartbleed-virus.jpg