Heartbleed Bug – Don’t trust the “HTTPS”

You have always been told to look for the Lock symbol in any website; that the lock indicates that you can a) trust that the website says they are who they are b) that any data you exchange with the website will be encrypted and no one else can read it. For eg. when you log in to your bank account, the lock gives you the assurance that no hacker on the internet can read your password and that you are indeed logging on to your bank’s website and not a bogus pretender bank website.

Though these things are true, a bug has been recently discovered in a software called OpenSSL. This bug can mean that, for websites that use the particular versions of OpenSSL that are affected, both of the above assertions may not be true. This bug enables a malicious hacker on the internet with no knowledge of any password related to the site with a vulnerable OpenSSL to a) possibly read any encrypted data that is flowing between the site and its users b) Use this knowledge of encrypted data, specifically private keys, to impersonate the affected website.

The malicious user can do all of the above because the so called “Heartbleed Bug” allows a malicious user to read a portion of website memory. This memory will contain at various points in time, private keys, passwords and other sensitive information which the malicious user can steal for further hacking.

It appears that the bug has been out in the open for more than 2 years and a public announcement regarding the bug was made last week – sending security professionals into a tizzy.

According to Netcraft, over a half a million websites continue to be affected by this vulnerability. A fairly recent list of websites affected is available on GitHub and includes popular websites like yahoo.com. Ironically, it appears as if the website of openssl.org itself is vulnerable.

Websites that use a vulnerable version of SSL would do well to move to a version that is patched.