Heartbleed Exposes Web Server's Private SSL Keys

Amy Macchiaverna

IS 353.02

Professor Harris

April 14^th, 2014

Blog #3: Heartbleed Exposes Web Server's Private SSL Keys

After the critical details regarding the Heartbleed virus were exposed last week, many system administrators, network security teams, software developers, plus pretty much anyone who uses the Internet or mobile apps, have developed large concerns regarding their Internet safety. Whether you are a consumer accessing your Internet bank site, using a mobile application to log in and share data or trading online, you are at risk for the new bug dubbed ‘heartbleed.’ This virus is based on a fault in functionality in the widely used OpenSSL library.  The Heartbleed vulnerability allows attackers to repeatedly access up to 64K of memory by sending a specifically generated packet to a server running a defenseless version of OpenSSL.

            Neel Mehta of Google Security originally discovered the Heartbleed virus. The OpenSSL library is widely used from security vendor’s products to secure web browsing and even mobile banking applications. Popular company services such as Yahoo are vulnerable to the virus but there are precautions that can be made (Yahoo is no longer at risk). The main concern is the Heartbleed’s ability to obtain private SSL keys from a server, therefore acquiring personal information and passwords of company’s and people all over the world. A security firm, CloudFlare, created a web site that was intentionally exposed to Heartbleed and encouraged researchers to attempt to get the private SSL key from the service. This confirmed the ability of an attacker to retrieve a server’s private key.

A trending word regarding the Heartbleed virus seems to be “castrophic.” Without taking the necessary precautions, and assuming personal data has been breached, the damage can be disastrous to those who have actually been hacked. Governments around the world could have used this virus to obtain as much information as possible regarding other governments, because why wouldn’t you? If you have the ability to gather tons of information about your enemy, wouldn’t you take advantage of it? Heartbleed is not a simple fix and has created many challenges regarding Internet safety for the future.

            64K may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information. This is enough memory to store all sorts of usernames, passwords, and security keys, resulting in a whole lot of damage. Based on recent news articles, everyone should assume their personal information has been leaked, and should take the necessary steps to secure their information. The vulnerability is "catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

Works Cited

*Lennon, Mike. "Confirmed: Heartbleed Exposes Web Server's Private SSL Keys | SecurityWeek.Com." Security Week. N.p., 14 Apr. 2014. Web. 14 Apr. 2014.

Lyne, James. "Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (And Yahoo)." Forbes. Forbes Magazine, 08 Apr. 2014. Web. 14 Apr. 2014.

Rashid, Fahmida Y. "Why The Heartbleed Vulnerability Matters and What To Do About It | SecurityWeek.Com." Security Week. N.p., 10 Apr. 2014. Web. 14 Apr. 2014.

* = Primary Source