In this article, I will tackle the HeartBleed bug that spread the news lately as well as what should normal website users be aware of by mentioning what could be affected and how to protect it.
HeartBleed Bug: What is It? (A Brief Tech Overview)
At its core, the HeartBleed bug is a bug that exists within the implementation of a famous library used for encryption over the web (the OpenSSL). This bug, just like any other bug, can be fixed (technically) through an update to the software being used. What makes this bug unique is the following:
- It has been around for quite some time now (almost 2 years). During this time, all data that was being protected using encryption over the web could have been leaked (stolen) without leaving any traces behind.
- It affects a popular protocol. We all know and use the popular HTTPS protocol on the web. This protocol is supposed to encrypt sensitive data that we use on the web (like passwords, credit card numbers, etc.)
- It was recently discovered and not all servers are updated yet. Even though it has been discovered recently, many servers don’t yet have a fix put in place up till this moment. This keeps room for security attacks to take place and happen as this article is being written.
This bug allows attackers to steal secrets (private keys) that are used to encrypt data. By doing so, attackers will not only be able to steal information. They will also be able to keep stealing that information until two things are fixed:
- The software used to encrypt / decrypt (OpenSSL in this case)
- The keys used to encrypt and decrypt are changed. If the software is updated but the keys are not updated, the attack can still take place and information can still be stolen.
HeartBleed: What Can be Affected?
Any data being encrypted can be affected. This includes the encryption of passwords, credit cards, communication messages, emails, etc.