Hey there! If you want to read about the Heartbleed issue, yet find the data provided at the bug’s website a little too complicated, this is for you.
[list=1]
[] What is Heartbleed? It’s the name of the bug that originates from a functionality in OpenSSL, called Heartbeat. What this does, basically, is some kind of “ping” between a server and a client, asking if the connection is still alive.
[] Cool, so how does the bug work, exactly? It is an extremely simple concept, very easy to exploit. The “Heartbeat” request consists of a maximum of 64K, and the size of the request is specified as a part of the request itself. The server receives this request, saves the data to memory, then sends this data to the client. To put it simply, we can imagine this:
Client: Hey there, server. Say these 10 words to me: [i]alpha, bravo, vulnerable, server, subtle, undetectable, invisible, efficient, pwned, confidential.
[/i]Server: Sure, I just wrote them down in my notepad. Reading 10 words: [i]alpha, bravo, vulnerable, server, subtle, undetectable, invisible, efficient, pwned, confidential.
[/i]This is Heartbeat. However, if the client lies, what happens?
Client: Hey there, server. Say these 10 words to me: [i]alpha.
[/i]Server: Sure, I just wrote them down in my notepad. Reading 10 words: alpha, tomorrow, put, thousand, dollars, in, bank, account, 72937824, password.
Voil The client had access to the server’s “notepad”: the memory.
[] What can an attacker obtain by exploiting this? Pretty much everything. Not only the private keys of the server certificates (with which the attacker would be able to impersonate the server or snoop on client-server communications), but also any login details of logged users, e-mails contents, banking ops, apps code,… all the “juicy” stuff.
[] But with 64K of data you can’t do much. Ha, that’s true. But I can do as many requests as I wish (no trace, as this was something ‘normal’ for servers and until the vulnerability was disclosed, almost no one logged these requests). Also, memory randomization ensures that I get to a different part of memory with every request, automatically.
[] …Scary. What servers did you say are vulnerable to this?! About 2/3 of the (indexed, I guess) servers run OpenSSL. But not all of them might have the vulnerable version (which, by the way, was the most recent one). Yahoo! was one of them. But not only servers are vulnerable; also smartphones, for example.
[] What should I do? You should make sure the service you use is not vulnerable to Heartbleed anymore (there’s a web where you can check it in real time, just look for “heartbleed check”), and if it’s not, change your password for that service. If it is still vulnerable, first contact the webmaster and tell him to update OpenSSL AND renew all the keys, etc. Then change passwords. If you’re a webmaster yourself, do the same: check your server, update, and renew.
[*] How long has this been going on? It’s been in the wild for 2 years. Yes, that’s a lot. And yes, it’s more than likely that someone (and I don’t only mean the NSA) has been using it. But something like this, while still in ‘undercover’ phase, isn’t used against normal people, I guess. More about HVT (this is my opinion, not a fact).
[/list]
This is basically what you need to know.
tl;dr??? Ok, then try xkcd.
If you want more info, I can provide some more advanced data, including if you’re a webmaster and want to keep track of this kind of requests (honeypot person ;)), or details about the structure of the request itself, etc.
