April 15, 2014

Change Your Passwords: Heartbleed Bug Affects Thousands of Websites

Print More


Last week it was announced that hundreds of thousands of websites all share a vulnerability that could put your bank account, your email, and even your Tumblr account at risk — a hole in secure website logins known as the Heartbleed Bug. To understand Heartbleed, start with the software the bug resides in.

“OpenSSL is an open-source software library that provides secure communication over the internet,” according to Prof. Nate Foster, computer science.

Short for Open-source Secure Sockets Layer, the software library handles both the encryption of information you send through the internet and ensures that when you connect to your bank’s website, for example, you are actually connected to your bank’s website and not a malicious third party, Foster said.

“When we go to websites that have HTTPS built into them what’s done is that the information is encrypted automatically so that the request you send just looks like meaningless junk to somebody who’s watching,” said Prof. Ken Birman, computer science.

According to Birman, OpenSSL was initially developed by a consortium of computer science experts who were deemed impartial by the software industry and development community. Since the project is open-source, OpenSSL is shared openly and free of charge for anyone who wants to use it. One feature of OpenSSL is called “heartbeat,” according to Birman.

Your computer will send a website with OpenSSL a “ping” to make sure it’s still connected, and OpenSSL will give an affirmative response. It does this at regular intervals, like the regular beating of a heart. The Heartbleed bug resides within the heartbeat feature, hence the name, Birman said.

“What seems to have happened is that a cleverly-designed malicious piece of software — written by a bad guy — could connect to an HTTPS site without knowing your credentials and just send it heartbeat requests,” Birman said. “And because of a mistake in the way the OpenSSL code was written, the heartbeat request would come back with an answer that included some information that was captured from the inside of the computer memory of the server you were talking to.”

According to Birman, if you happen to be logging in when someone is exploiting Heartbleed, your password could be included in the information captured from the server, allowing someone to take over your account. Heartbleed could also be exploited by malicious servers in order to steal information from users of a certain website, according to Prof. Emin Sirer, computer science.

“No one knows if any such websites were set up, and if so, they would affect users whose browsers were vulnerable. If such a site were to attack a client, it could steal users’ passwords or other authentication credentials,” Sirer said. “The chances of this having happened for any individual are low.”

Despite the fact that the Heartbleed bug has existed within OpenSSL for two years, according to Foster, it was only discovered and reported recently — on the same day — by both Finnish cybersecurity firm Codenomicon and an engineer at Google. At this point it is unclear exactly how much Heartbleed has been exploited by people with malicious intent, according to Foster.

“It will take some time for network administrators to scan their logs and determine if exploits have occurred in their networks,” Foster said.

According to Birman, it will also be hard to tell exactly when OpenSSL was exploited and by whom, because OpenSSL does not have a method for tracking where its heartbeats are coming from.

“Nothing keeps track of whether OpenSSL is getting a lot of these pings,” he said. “So the way you would know this is you would say, ‘here’s this website that I use for Visa, and gosh it’s getting an awful lot of pings from this place in St. Petersburg.’ But they haven’t been tracking this and so we simply wouldn’t know, there would be no trace at all.”

Since the code for OpenSSL is open-source and freely available, someone interested in finding a flaw could use one of three techniques to find a vulnerability: inspect, analyze, or test, according to Sirer. Each of the three techniques comes with its own drawbacks, however.

“Testing is difficult to perform, one would have to hypothesize the existence of the bug before one can craft a test case for it.,” Sirer said. “Analysis is also non-trivial; automated tools typically have difficulty with code bases as complex as OpenSSL. And manual inspection is slow and laborious.”

According to Birman, companies concerned about their website security will often pay security companies to look for vulnerabilities in their secure log-ins and fix them before someone with malicious intent finds them.

“It’s a little surprising, actually, that this wasn’t noticed,” Birman said. “It’s just the kind of thing everyone looks for.”

OpenSSL’s open-source nature also means it would be difficult to determine who, if anyone, is responsible for the security hole. Developers on open-source projects often use aliases like anyone would use an anonymous username on a website, and it is taken for granted that they are not creating potential security holes, Birman said.

However, Foster still says open-source is still a good idea.

“Open-source software is generally high quality and bugs tend to get fixed very quickly because there is such a large community of developers working to improve it,” he said.

Foster said a way to avoid security holes like Heartbleed in the future may be to write important pieces of software in more modern programming languages.

“OpenSSL is implemented in a langauge called C that was developed at Bell Labs in the early 1970s,” Foster said. “C is popular because it is fast, but it forces programmers to deal with a lot of low-level implementation details that are very tricky to get right.”

So far there have been few documented reports of Heartbleed being used for malicious intent, according to Foster. Birman said that a patch for Heartbleed was released almost immediately after the bug was reported, but for the patch to work a website has to install it, which may take some time depending on who runs the site. Small businesses that use OpenSSL for secure purchase pages but do not know about Heartbleed could remain vulnerable for a long time.

Network routers like the one you are using in your apartment are also vulnerable to Heartbleed exploits, Birman said, but people very rarely update the software on their routers.

“This openSSL flaw, it’s going to be with us for years,” Birman said.

Birman, Foster and Sirer all recommended that users should change their passwords as soon as possible in order to protect their information. Since many people use the same password for multiple websites, it only takes one of those sites failing to patch the Heartbleed vulnerability for a user to give up the password to everything from their online banking to their email, Birman said.

“Generally passwords should be difficult for a human or computer to guess — as close to a random string of characters as possible,” Foster said.

According to Birman, the best password would be a short phrase that you can remember without much trouble and that someone who does not know you would not be able to guess exactly.

“Write a sentence about the place you were born,” Birman said.

While someone might know where you born, they may not know exactly what your first thought is about your hometown, and they probably wouldn’t be able to guess exactly where you choose to place a number or punctuation mark in your sentence.

“If people use passwords that are longer sentences which have capital letters and numbers and punctuation in them, the odds of someone guessing that password are really low,” Birman said.

While there are lists available of what sites have been affected by Heartbleed, according to Foster, it is impossible for you as a user to know whether a specific website is vulnerable unless they tell you. Birman said users should wait to change their password for a site until they know that any vulnerabilities in OpenSSL have been patched.

Fortunately, while Heartbleed allows an attacker to see the password you use to log in to a site, it will not reveal what information you exchange with a site for the rest of your interaction with that server. This means if you log in and immediately change your password, your account will be safe, according to Birman.

“If you have to use an HTTPS site and don’t know if they had an issue, or whether or not they fixed it, you have two options,” Birman said. “You could use one of those test programs that are out there now — at some risk that the test itself could be dangerous — or you could just assume the worst and log in, but change your password each time you visit the site.”