The heartache of the Heartbleed Bug

By Maksym Schipka, Senior Vice President Engineering.

The Heartbleed bug is probably one of the most serious security flaws in recent times, potentially affecting hundreds of millions of people. It was introduced into the OpenSSL library, responsible for “S” in “HTTPS” on most websites, on the 31st December, 2011. Of course, hindsight is a wonderful thing, but here are some lessons to be learnt…

The feature that introduced this bug has been addressing a well-known concern of TCP/IP overheads when establishing secure connections. Simply put, the way it works is as follows:

  • The client (i.e., your browser) sends a special packet to the server, containing a sequence number and some padding, together with packet size. This is used to indicate to the server that the connection must be kept open and not timeout.
  • The server (i.e., the website) replies with a packet containing your sequence number and some padding, to indicate that the server received the request and is keeping the connection open.

This allows browser and server to avoid re-establishing secure connection, thus saving time and latency. Put in simple terms, it makes the web pages feel more responsive, sometimes by a signficiant margin.

This has been perceived so important that the feature was enabled by default and made it into a release version of OpenSSL version 1.0.1 on the 14th of March 2012. Needless to say, that despite the code being there for two and a half months- in the public domain - no one really looked at it from a security perspective, which leads us to Lesson 1: user friendliness and security often conflict with one other.

Exploiting vulnerability is very easy. All the attacker needs to do is to ask for more information back than they send. This means that up to 64kB of data could be leaked from the server. It just happens that the data may include the private keys for SSL communications, effectively enabling the attacker to eavesdrop on what was perceived as secure communications. This includes passwords – whether for online shopping, e-Government or secure email – whenever they feel like it. There were already allegations (although vehemently denied, of course) that NSA knew about Heartbleed and were using it to their advantage. No mere mortal will know 100% truth, of course.

The vulnerability has only been publically disclosed on 7th April 2014 , over two years later, which leads to Lesson 2: Open Source does not necessarily mean “more secure”, despite what some of our German friends say.

At the time of creating this blog, the first victims of Heartbleed bug have been confirmed to be Mumsnet and Canada’s tax agency, reporting their users’ passwords stolen. These victims are the first, but we’re sure they are not the last.

It’s all about timing and patience

More worryingly, there have been media reports advising everyone to rush off and change their online passwords. While this is the ultimate action that needs to be taken, there is a timing issue. Changing the password without the website having been updated is pointless, so, before the password is changed, there is a need to check that the website holding your password has been fixed.

Fortunately, doing so is free and easy. There are various online services that were either created for this purpose (for example, Intel/McAfee online Heartbleed tester), or that were updated to check for Heartbleed (for example, Qualys’s SSL Labs SSL Server Test). All you need to do is enter the URL of the website and press “Scan” button. If the result indicates that the site is not vulnerable to Heardbleed, go ahead and change your password.

Password best practice

Of course, choosing a new password is not easy. Not only must it be significantly different to the previous one, here is a “small” list of requirements for a good password policy:

  • Changing passwords on a regular basis is good practice
  • Make sure that the password is more than eight characters long and includes the usual uppercase, lowercase, number and ‘punctuation’ as well. This makes for a strong password. 
  • Try not to use a single word; even if you were to swap out characters, for example ‘E’ becomes ‘3’ – as that is often checked for. 
  • Do think about concentrating words together, and then changing characters, so a password of ‘catonthemat’ could become ‘Cat0nth3mat.’ Using a ‘passphrase’ rather than ‘password’ makes it simple to remember!
  • Do not use the same password for every site, there are levels of importance. 
  • Our lives are digital, and we shared different levels of information with different services; we should bear this in mind.
  • So, your banking site should have a unique password, as should your credit card sites. After this, shopping sites which maintain a copy of your details can be in a different category, and then there are the social networking sites and other general ones. Users may find it interesting just how many sites they visit and therefore how many usernames and passwords they have! For many, using an application like LastPass (who also developed a tool to check websites for Heartbleed and integrated it into their browser toolbar) or other alternatives to generate and manage passwords is the simplest solution – as that reduces the need of having to remember them all
  • It goes without saying that you should not have a Word document on your desktop with all of your log-in details in one place.
  • Think about the sites you have visited and if they have a username and password. Revisit those sites and change the password – put a note in the calendar to do this again in three months’ time. 
  • How to tell spammers from the real deal: if you receive an email requesting you change your password – type in the URL of the site you usually visit, directly – do not use a link in an email, just in case it is a phishing email.

If you are overwhelmed by this list, go ahead and choose your own password manager – just make sure it is from a reputable, well-known company.

To summarize, the Heartbleed bug is a significant issue and it is difficult to think of a technology capable of proactively preventing similar issues in similar technologies. Mitigation is quite tedious and involved, and we are sure there will be more news about more victims of it to come.

Further reading

For more information on passwords and their effectiveness, download our free eGuide: Password, Privilege or Bypass