How to Protect from HeartBleed – OpenSSL Bug

Written by Jana Raj

What if we told you that your personal Facebook or Twitter account has been subjected to numerous hacks and compromises in the past couple of years without you even getting a slightest indication of what’s happening behind your back. Sounds surreal, doesn’t it? Welcome to the world of Heartbleed Open SSL.

OpenSSL is most widely used cryptographic library for Apache and nginx Web servers, which handles a service of Transport Layer Security (TLS) called Heartbeat, an extension added to TLS in 2012. The combined market share of just those two, Apache and nginx, out of the active sites on the Internet is over 66% according to Netcraft’s April 2014 Web Server Survey.

What is HEART BLEED ?? 

Heartbleed is a critical bug (CVE-2014-0160) is in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL’s implementation of the TLS (transport layer security protocols) and DTLS (Datagram TLS) heartbeat extension (RFC6520).
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) atCodenomicon, while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools, and Neel Mehta of Google Security, who first reported it to the OpenSSL team.

How HEART BLEED Working ??

It is not a problem with the TLS/SSL technologies that encrypt the Internet, neither with how OpenSSL works. It is just a dumb coding mistake.
Using the Heartbleed Extension Between Two Computers , if by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism.

When that heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it, that can leak sensitive data such as message contents, user credentials, session keys and server private keys. By sending heartbleed requests multiple times, an attacker is able to fetch more memory contents from the server.

This means, everything and anything in the memory such as SSL private keys, user keys used for your usernames and passwords, instant messages, emails and business critical documents and communication, and many more is vulnerable to cyber criminals. At this phase, you have to assume that it is all compromised.

About two-thirds of web servers rely on OpenSSL, means the information passing through hundreds of thousands of websites could be vulnerable.

Thanks To The Hackers News For This Explanation of How HearBleed is Working.

How to Protect From HeartBleed – OpenSSL Bug

If the site you use is not affected by the vulnerability, its good idea that you change your password immediately, assuming that it was vulnerable before, just to make sure that you are now safe. But changing the password before the bug is fixed could compromise your new password as well.

You are advised to don’t reuse the same passwords on different websites and try to use a separate password for each website.

If you are using a public Wi-Fi at MacDonald or any other public places, then you should limit your Internet behavior and avoid sign in into websites that are especially sensitive.

OpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are Vulnerable and flaw is fixed in OpenSSL 1.0.1g. If you haven’t yet, please update your system that use OpenSSL for TLS encrypted communications.

And last but not the least; keep an eye on every financial transaction, and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.

HOW TO CHECK IF YOUR FAVORITE WEBSITES ARE VULNERABLE

1.) First of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using http://filippo.io/Heartbleed/, and if you’re given a red flag, avoid the site for now.

2.) LastPass also created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated.

3.) Provensec also created a scanner at http://provensec.com/heartbleed/

4.) GlobalSign SSL Configuration Checker.

5.) The easiest way to keep you safe is to use a new add-on to the Chrome browser, Chromebleed, created by security researcher, Jamie Hoyle.

 

About the author

Jana Raj

Jana is the founder of Tech4bros. CS Engineer ,Part time Blogger and Web Developer, Crypto Trader and Investor.