On April 7, Finnish security company, Codenomicon, and Google’s security team reported a serious vulnerability titled Heartbleed in the OpenSSL encryption software library. OpenSSL is a widely popular open-source product that can be used for, among other things, encrypting networks connections. The so-called SSL/TLS encryption is commonly used to encrypt the user’s personal information when visiting websites, such as online banks or shopping sites.
The vulnerability allows an attacker to get direct access to the memory on the target server – that could be hosting for example an online store. This way the attacker can retain sensitive information, such as the private encryption key used by the visitor’s computer. When the encryption key is jeopardized it becomes possible for the attacker to “eavesdrop” all future traffic between the computer and the server.
To make things worse, attacks using the Heartbleed vulnerability leave pretty much no traces that can be detected with traditional security tools.
In order to get a sense of the ramifications of Heartbleed, we studied a list created by Donnie Berkholz. The list was made by scanning the data of Alexa, online statistics company, on the world’s top 10 000 websites. Please note that the list linked here is based on the original data, and since then many companies, including Anders, have fixed the problem.
Immediately after we received information about the vulnerability, we checked all our servers thoroughly. Most of them were found out to be NOT affected by the Heartbleed vulnerability.
Those servers with a vulnerable version of OpenSSL were immediately updated to a newer version and the respective SSL certificates were renewed as safety measure.
Users of those services that might have been affected have been separately instructed to change their passwords as precautionary method. The latter is not necessary, but we take no risks when it comes to security.
E-commerce solutions and other services developed by Anders can be safely used. You can also check if any website currently online is vulnerable by using the Heartbleed Test created by Filippo Valsorda.
Unfortunately, website administrators can do very little for these kinds of zero-day attacks. For this reason the people who first discovered the vulnerability have been criticized for making their findings public before software vendors were given sufficient time to upgrade their products.
On the other hand, if the news about the discovered vulnerability had not been made public quickly, many parties would have probably not upgraded their OpenSSL. It remains on open question whether some malicious attackers have already known about the vulnerability and used it before the information become public.
The best way to prepare for zero-day attacks is still fairly traditional: regularly updating operating systems and other software.
Although this vulnerability is very serious, there may be silver lining to this dark cloud. A vulnerability so clear and serious will hopefully encourage service providers worldwide to act, and perhaps also to re-evaluate their current security standards.