Tech firms and security experts are strongly advising that people change all their passwords following the discovery of a huge security flaw in OpenSSL, a technology which is often responsible for the little padlock icon indicating a secure website. It meant that with a very “simple” set of tools, a hacker was able to eavesdrop on communications between supposedly secure websites and their users.
The vulnerability, known as “Heartbleed”, was inadvertently introduced in a routine update to OpenSSL in March 2012, and has been present in every version released between then and the discovery of the vulnerability on 7th April 2014.
Anyone who has used the Internet in the last 2 years could be affected. Approximately two thirds of all websites use OpenSSL for their secure connections, and there’s no way of knowing if a particular website was vulnerable unless you are a system administrator for that website. Some well-known websites, including Google, Dropbox, Yahoo and Tumblr, were affected by the vulnerability, but have since patched their systems.
EMSL’s own web hosting did not have, at any point, a vulnerable version of OpenSSL installed on it. Therefore none of EMSL’s clients’ websites were affected directly. However, due to the wide-reaching nature of this bug, we are still recommending that everyone changes their passwords to be sure.
The chances are, that if you have used the Internet over the last two years, you have sent passwords and personal details over connections you thought were secure but were not. It’s simply impossible to say exactly how many websites were affected, and which websites were affected, so the only safe thing to do is to assume that all of your usernames and passwords used over the last two years are compromised.
But before you rush to change all of your passwords, check if the website you are changing your password for is still vulnerable. If hackers were unaware of this vulnerability before they are certainly aware of it now, so if a server still has the Heartbleed vulnerability, wait until it is fixed before you change your password. Filippo Valsorda’s web tool has been recommended to check if a website is still vulnerable - just enter the domain name of the website you want to check, for example “emsl.co.uk”, and press the “go” button. If the website is reported as “fixed or unaffected” it is safe to change your password. If you get a timeout or other error or warning, the server is likely to be fixed but it’s not possible to be sure.
As always, the best way to stay safe is to use a different password for every website you log into, and use a tool such as Keepass or LastPass to securely save all of your log in details.
You can use our password tools to create secure passwords, and check the security of your passwords. No data is sent to or from our server by these tools, all the calculations take place on your computer, so if your computer is virus free and nobody is standing behind you, your password will not be compromised by using our password tools.
If you have any questions or concerns about your website’s security in general, or the Heartbleed bug in particular, contact us on 01462 67 60 70 to discuss a website security audit.
The vulnerability was dubbed “Heartbleed” because of its exploitation of the “heartbeat” extension used in OpenSSL 1.0.1 and higher. The bug was discovered by Neel Mehta of Google Security and the fix was prepared by Adam Langley and Bodo Moeller.
“Heartbeat” is a feature which simply allows either the user’s computer or the server to say “I’m going to send you some data, send it back to me”. The format of the heartbeat request is to say how much data you are about to send, which can be up to 64 KiB, and then send the data itself. The server should then respond with the data you sent.
The exploit meant that an attacker could send a “heartbeat” request, saying “I am going to send you 64KiB of data”, but then only really send a single byte of data. Vulnerable versions of OpenSSL would respond to this request by sending you back the one byte you sent, followed by 64KiB (minus one byte) of other data from the system’s RAM.
If repeated enough times, due to the “random” nature of RAM (it’s called random access memory for a reason), the single byte that the attacker requests would end up adjacent to something interesting, such as a website’s private keys (used to encrypt and unencrypt all communications with the website) or another user’s cookies or passwords.
The affected versions of OpenSSL are 1.0.1 to 1.0.1f inclusive, and 1.0.2-beta releases. You can check your version of OpenSSL by typing openssl version in the shell. Affected users must upgrade to 1.0.1g immediately, or recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. Version 1.0.2, which should not be in use on live websites anyway, will be fixed in 1.0.2-beta2.