Protect your sites—and your servers—from Heartbleed. Learn how to audit, test, and fix vulnerability issues associated with OpenSSL.
- [Voiceover] As has been widely publicized, a severe hole in internet security known as the Heartbleed Bug has been discovered. This bug affects a significant percentage of secure HTTP servers around the world. Heartbleed is a bug in OpenSSL, an open source software package that's widely used to manage security certificates and encryption between internet clients and servers. It primarily affects HTTP servers, the servers that host websites, and specifically, HTTP servers that use OpenSSL versions 1.0.1 through 1.0.1f.
This isn't an architectural problem with OpenSSL itself. It's just some bad code that was introduced into the product. The bug is in the implementation of the Transport Layer Security protocol, or TLS, and specifically, a part of the protocol known as the heartbeat extension. The heartbeat extension is used to create a handshake between a client and a server as they initiate encrypted communication. The problem is that this bug allows memory and data to leak through.
Here's the technical description. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. 64k doesn't sound like a lot, but this hole in the security of the TLS heartbeat extension can be exploited over and over again once it's been discovered. This means that servers and client computers and even mobile devices such cell phones and tablets that are connected to the internet are potentially vulnerable if they use particular versions of OpenSSL.
As an IT administrator or business owner, it's critical to understand the nature of the bug, how to find out whether your systems are vulnerable, and how to go about fixing the issue. Here's the sort of data that can be leaked through the Heartbleed Bug. Primary keys are the digital security certificates that manage encryption. These are the keys to the kingdom, and the Heartbleed Bug lets those leak from server memory. Also, secondary keys such as user credentials, usernames and passwords, or other information that's being used to authenticate users can be leaked.
Once that information has been compromised, it's possible to get to other protected contents, information as sensitive as credit card numbers, and finally, collateral information such as memory addresses or other internal technical info. Some of this information is temporary and transient. For example, if someone has captured memory addresses from a current server session, it wouldn't be useful once you've updated OpenSSL to a safe version and restarted your server.
But everything else that might have been compromised needs to be closely evaluated, and if warranted, it needs to be changed. This is laborious and a major pain, but it might be necessary. Don't underestimate this issue. If you offer secure hosted services, you should immediately find out whether your systems need attention. Some organizations, including national governments, have actually shut down critical web-based services until they're confident that this bug has been corrected on their servers.
It's that serious. Deal with it now, and you might save yourself some bigger trouble down the road. You can easily find out whether your systems are vulnerable. If they are vulnerable, it's tough to know what information might have been stolen, if any. So it's best to be safe. Security experts worldwide are recommending that you change or replace potentially compromised security assets such as certificates, passwords, and so on. To learn more about the bug and find resources to deal with it, go to the website that's been set up for this purpose at heartbleed.com.
This webpage will be kept up-to-date as information develops. It includes information about the nature of the bug, and down at the bottom of the page, a list of resources that you can use to find out how to deal with particular servers. In the following movies, I'll describe key strategies you can follow to find and fix vulnerabilities in your own systems.