Should You Fear The “Heartbleed” Bug?

Yes, most definitely. But don’t panic yet. You may just fall into the honey trap!

“Heartbleed” an interesting name, and may well be one that goes down in history as one of the most potent malicious bugs to have hit the Internet.

An inadvertent error in the codes for the OpenSSL program could compromise encryption for most of the Internet, thus putting your passwords and data at risk.

Not a good time to go online for shopping!

Like I said earlier, “Heartbleed” is a mistake in a code, which has exposed the vulnerability of OpenSSL, a technology used for encryption by around 66% of public servers.
The OpenSSL is maintained by a group of developers and not by a single entity or organization. It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL and the man held responsible for this error is Robin Segglemann, a researcher for the transport protocols of the Internet who works on the Transport Area and Transport Layer Security (TLS) for the Internet.

Transport Layer Security (for those of you who are curious about the name) can be used to secure application data by adding an additional layer between the transport and the application protocol.

What is this vulnerability?

When you log on to the net and connect to a secure website (starting with HTTPS), your browser will search for the site you are looking for and then connect with it.
While doing so, your browser requests and verifies the site’s certificate and generates an encryption key for the secure session. This key is encrypted by your browser and is decrypted by the site, thus enabling a secure connection. Once the secure connection is made, your browser asks for data and the site sends in the requested data, enabling you to browse the website.

The heartbeat extension for TLS simply lets one device confirm the other’s continued presence by sending a specific payload that the other device sends back.

Now with the error in the code, it is possible to misinform the site about the amount of data requested and thus be able to capture confidential data like encryption keys, passwords, login details, user IDs and other personal data.

The extent of vulnerability is huge as the malicious code is found in some widely used email server software, online browsing tools, VPN, online games and even software enabling internet connectivity for Mobile phones and webcams.

Jeff Forristal, chief technology officer of Bluebox Security, said that version 4.1.1 of Google’s Android OS (Jelly Bean), is also vulnerable however Google officials declined comment on this.

The Heartbleed vulnerability went undetected for about two years and since it can be exploited without leaving a trace, hence experts and consumers fear attackers may have compromised large numbers of networks without their knowledge and there is little Internet users can do to protect themselves until vulnerable websites upgrade their software.

An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols referred to as keys and certificates that help them confirm the identity of users.

While you are advised to change your logging and passwords on all sites, we would advice you to wait, as your new password could be lapped up by scrupulous hackers just as your existing ones; so wait till the bug has been fixed.

Now a more ominous question arises — is this a simple programming error or a secretive back door passage allowing the Global monitoring agencies to spy on their citizens?

*Ahem* We can’t say. Though conspiracy theorists are definitely having a field day, prophesying this way, and that.

Originally published at Chip-Monks.