It’s become known as the greatest mistake on the Internet of all time. It is the largest security breach online ever . . . and it was a total accident. The Heartbleed Bug, as it’s become known, was first reported and named by Codenomicon on April 1, 2014. The bug was a result of a coding mistake in the open-source OpenSLL cryptography library, which is used to handle the Internet’s transport security layer (TSL). Specifically, the bad code is in the heartbeat extension of the file, hence the nickname “Heartbleed.”
OpenSSL / TSL is a type of security used to encrypt and protect information transmitted between clients and servers. Clients are computers, like your home PC, laptop or even your phone. Servers are specialized computers. They hold incredible amounts of information including hosting websites and storing emails. Imagine that every time you open your browser (the Mozilla or Internet Explorer icon you double click) to pull open the Google home page, you’re mailing a letter from your PC to the Google server. The letter is the information you’re sending and you don’t want anyone else to read it. To stop everyone else from seeing what’s in it, you put the letter in an envelope. Your computer and the server do this automatically and one of the envelopes it could use is the OpenSSL / TDL protocol. That is largely determined by the site you’re attempting to visit.
Heartbleed is classified as a buffer over-read error. Essentially, a request is sent to a server and the server should respond with a request the same length. During a Heartbleed attack, a large return request attached to a small payload is sent to the server. The Heartbleed error means the server fails to check the size of the payload before responding. It “over answers” the request, sending back chunks of recent memory. This may include user login names or passwords. In a worst case scenario, an attacker may gain access to the server’s private master key. With this, someone may be able to decrypt all traffic coming and going on a server.
The worst part about a Heartbleed attack is it is virtually impossible to detect and has been around for over two years. The bug was first introduced on March 14, 2012. Almost 20 percent of the world’s servers use the afflicted files. Also, Android confirmed its version 4.1.1 (or Jellybean) contains the bug. This affects over 50 million devices.
So far the following sites and services have been confirmed free of any effects from the Heartbleed bug:
- LinkedIn, Apple, Amazon, all Microsoft products and services, AOL, Hotmail, Outlook, Ebay, Groupon, PayPal, Target, Walmart, Hulu and Pandora.
The following sites have been confirmed as affected by the Heartbleed bug. All have been patched, but it is highly recommended that you change your passwords if you use any of these sites or services if you haven’t already done so:
- Facebook, Instagram, Pinterest, Tumblr, Google, Yahoo, Gmail, GoDaddy, Flickr, Minecraft, Netflix, YouTube, OKCupid, Healthcare.gov, Steam, League of Legends and Sony Online Entertainment.