Heartbleed

News in the world of IT

22 Apr 2014

Heartbleed

A few days after the discovery of what is potentially the most important vulnerability of the digital age, it is appropriate to make a quick review of the situation.

 

Heartbleed, what is it?

Heartbleed is a security flaw in the OpenSSL library, library used by several major websites including Facebook, Google and several government websites, to encrypt data.

 

How does it work?

When two systems communicate with each other, usually a server with a client, a "heartbeat" is sent . It is a way to verify that the caller is still available and responsive.

It is in the implementation of this practice that the fault lies. Indeed, it is possible to ask the server to return more information than what should be disclosed by specifying the number of characters that should be returned. The information is drawn from memory and can contain up to 64,000 characters. The image below ( which quickly became popular on social medias) demonstrates this problem:

 

Heartbleed

 

Source : http://xkcd.com/1354/

 

Why is it the vulnerability considered major?

It is estimated that two-thirds of the servers worldwide use OpenSSL . The flaw exists since May 2012. Nobody can tell if data has been intercepted during this period.

 

What can I do?

There are very few things you can do to intervene in this situation. It is strongly recommended that you change your passwords on sites and applications affected by the security flaw (see the list at this address : http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/).

However, there is nothing that guarantees that what has been exchanged during the critical period was not intercepted by someone and that the information will not be used later on.