An obscure security researcher for Google named Neel Mehta has dropped a bombshell on the Internet security world, and the Internet as a whole, when he announced his discovery of an exploit in OpenSSL dubbed “Heartbleed”.
The bug was named so colorfully due to the feature it takes advantage of, known as Heartbeat, which is used by OpenSSL to communicate between servers and hand down encryption keys to the proper vendors who request them.
It accomplishes this trick by fooling systems that rely on the OpenSSL standard into revealing the contents of their memory, which contain anything from user credentials to vital organs of the computer that’s in the process of being compromised.
Mehta goes into extensive detail about the exact cause and correlation of the threat on his freshly launched portal Heartbleed.com
“This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
Perhaps most frightening of all is the fact that unlike other viruses and net-based nasties, Heartbleed doesn’t leave a single trace of its presence behind, essentially making it impossible for sysadmins or IT professionals to verify whether or not their machines and networks have been affected in the first place.
This fact suggests that anyone on the web who has entrusted their server to OpenSSL in the past two years could have been, and probably was, a target. That no one is safe, from what could potentially shape up to be one of the largest Internet security scandals in modern history.
The team behind the encryption standard have already pounced on the problem, releasing an update clearly and concisely named “Fixed OpenSSL”, so that no one who might be on the lookout for a solution gets confused when attempting to update their servers with the proprerly patched code.