What is Heartbleed and what does it mean to you?
There have been a lot of articles in the mainstream press lately about the Heartbleed bug and how everyone should go out and change their passwords immediately; which actually may have been very poor advice.
Heartbleed is a bug in a product called OpenSSL which is one of many ways of implementing the security behind Https:// websites and also some Virtual Private Networks. To put it simple SSL is the technology that implements the little padlock you see on secure sites.
The way this works is that traffic to the site is encrypted and this encryption is very simplistically ensured by a certificate installed on the web server.
Heartbleed is vulnerability in the OpenSSL implementation that allows hackers to send a message and get a very small chunk of unencrypted traffic from the server. Now this is pretty random. There is no guarantee as to what they will actually get. However if they send enough messages they might get passwords or even the certificate of the site.
FREE monthly newsletter
Wills | Probate | Trusts | Tax | Elderly & Vulnerable Client
- Relevant learning and development opportunities
- News, articles and LawSkills’ services
- Communications which help you find appropriate training in your area
Whilst a hacker getting your password is pretty serious, it was the fact that the hacker could get a certificate which was what had the internet in uproar. Once the hacker has a site’s certificate it is potentially possible for them to pretend to be that site and capture all unencrypted traffic to their dummy site.
I have seen various estimates of how much of the internet uses OpenSSL. From 40% to 65% seems a good ball park. It is not used on any Microsoft based server for example.
Fixing the Problem
Now it is pretty easy for sites to fix the problem. First a site should change its SSL technology to one that is not affected (later versions of OpenSSL have been patched) and also to revoke and reissue certificates. This latter is the most important point and is why rushing out to change passwords is not a good idea until you are sure that the site has both been patched and its certificates changed. If they only do the former it is possible that their certificates might have been obtained prior to the patch being made.
Is it a problem?
The problem with this vulnerability is that it has been out there a very long time and there is no way of knowing if it was exploited. Having said that security firms did put out ‘honeytrap’ servers before this vulnerability was publicly announced and found no evidence of them being attacked. A ‘honeytrap’ server is one that looks like it is worth hacking and has the vulnerability in place but in reality is run by the security firms to trap hackers.
It seems likely that there was very minimal chance of the issue being exploited prior to the issue being made public. Unfortunately some sites have been very slow to patch and change certificates once the issue was public and since it has been made public there has been an increase in perceived attacks.
There are a number of resources on the web to see if a site has been patched. Heartbleed.org is a good place to start.
One final piece of advice – a number of pieces of network hardware such as routers also have web-servers in them and some of these have been affected. It is wise to check if your router needs a firmware update.
The LawSkills Monthly Digest
Subscribe to our comprehensive Monthly Digest for insightful feedback on Wills, Probate, Trusts, Tax and Elderly & Vulnerable client matters
Not complicated to read | Requires no internet searching | Simply an informative pdf emailed to your inbox including practice points & tips
Subscribe now for monthly insightful feedback on key issues.
All for only £120 + VAT per year
(£97.50 for 10+)