FAQ: What is Heartbleed vulnerability and how to protect yourself from it

A recently discovered vulnerability in the OpenSSL protocol, dubbed Heartbleed, and even your own logo, carries a potential threat to the user's password on a variety of websites. We decided to wait for the hype around it and talk about it, so to speak, in the dry residue.

This will help us to a popular edition of CNET, which gathered a list of frequently asked questions on this subject. We hope the following information will help you learn more about Heartbleed and protect yourself. First of all, remember to date with Heartbleed problem has not been solved completely.

What is Heartbleed?

Heartbleed - security vulnerability in OpenSSL software library (open implementation of SSL / TLS encryption protocol) that allows hackers to access the contents of memory servers, which at this point could contain private data of different users Web services. According to research firm Netcraft, this vulnerability can be exposed to about 500 thousand websites.

This means that on these sites potentially at risk were those users' personal data, like user names, passwords, credit card data, etc.

The vulnerability also allows attackers to digital keys, which are used, for example, for encryption correspondence and internal documents in a variety of companies.

What is OpenSSL?

Let's start with the SSL protocol, which stands for Secure Sockets Layer (Secure Sockets Layer). He is also known under its new name of TLS (Transport Layer Security). Today it is one of the most common methods of data encryption in the network that protects you from possible "spying" on the part. (Https at the beginning of the link indicates that the communication between your browser and open it in the site is using SSL, otherwise you will see in the browser just http).

OpenSSL - SSL implementation of open source software. Vulnerabilities were subjected to protocol version 1.0.1 to 1.0.1f. OpenSSL is also used in the Linux operating system, it is part of the two most popular Web server Apache and Nginx, which "runs" a large part of the Internet. In short, the scope of OpenSSL is huge.

Who found a bug?

This merit belongs to the employees of the company Codenomicon, dealing with computer security, and staffing Google researcher Nile Meta (Neel Mehta), who discovered vulnerabilities independently from each other, literally one day.

Meta donated reward of 15 thousand. Doll. for detecting a bug on the campaign for the development of encryption tools for journalists working with sources of information, which takes a free press Foundation (Freedom of the Press Foundation). Meta continues to refuse any interview, but his employer, Google, gave the following comment: "The safety of our users is our highest priority. We are constantly looking for vulnerabilities and encourage all to report them as soon as possible so that we can fix them before they become known to attackers. "

Why Heartbleed?

The name was coined by Heartbleed Ossie Gerraloy (Ossi Herrala), the system administrator Codenomicon. It is more harmonious than the technical name CVE-2014-0160, this vulnerability by number containing its line of code.

Heartbleed (literally - "bleeding hearts") - a play on words containing a reference to the expansion of OpenSSL called "the heartbeat" (palpitations). Protocol kept the connection open, even if between the participants do not exchange data. Gerrala considered that Heartbleed perfectly describes the essence of the vulnerability that allowed the leakage of sensitive data from the memory.

The name seems to be quite successful for the bug, and this is no accident. Codenomicon team deliberately used euphonic (press) the name, which would help both as much as possible as soon as possible to notify people about vulnerability found. Giving it the name of the bug, Codenomicon soon bought a domain Heartbleed.com, which launched the site in an accessible form telling about Heartbleed.

Why do some sites not affected by Heartbleed?

Despite the popularity of OpenSSL, there are other SSL / TLS implementation. In addition, some sites use an earlier version of the OpenSSL, which this bug is absent. And some did not include a heartbeat function, which is a source of vulnerability.

Partly to reduce the potential damage makes use of PFS (perfect forward secrecy - perfectly straight secrecy), Property of the SSL protocol, which ensures that if an attacker retrieve from memory server one security key, he will not be able to decode all traffic and access to the rest of keys. Many (but not all) companies already use PFS - e.g., Google and Facebook.

How does Heartbleed?

Vulnerabilities attacker to gain access to the server 64 kilobytes of memory and perform the attack again and again until the complete data loss. This means that not only prone to leaking usernames and passwords, but the cookie data that Web servers and sites use to track user activity and simplify authorization. The organization Electronic Frontier Foundation states that periodic attacks can give access to both more serious information, such as private site encryption keys used for encryption traffic. Using this key, an attacker could spoof the original site and steal the most different kinds of personal data such as credit card numbers or private correspondence.

Should I change my password?

For a variety of sites answer "yes." BUT - it is better to wait for the message from the administration site, that this vulnerability has been eliminated. Naturally, your first reaction - Change all passwords immediately, but if vulnerability at some of the sites are not cleaned, change password pointless - at a time when the vulnerability is widely known, that you only increase the chances of an attacker to know your new password.

How do I know which of the sites contain vulnerabilities and is it fixed?

There are several resources that check the Internet for the vulnerability and reported its presence / absence. we recommend resource Company LastPass, a software developer of password management. Although it gives a fairly clear answer to the question whether he is vulnerable or that site, think of the results of the audit with caution. If the vulnerability of the site accurately found - try not to visit it.

List of the most popular sites exposed vulnerabilities, you can also explore the link.

The most important thing before changing the password - to get an official confirmation from the administration site, which was discovered heartbleed, that she had already been eliminated.

A lot of companies have already published the relevant entries on their blogs. If there are not - do not hesitate to refer the matter to support.

Who is responsible for the appearance of vulnerability?

According to the newspaper Guardian, the name is written "buggy" programmer's code - Zeggelman Robin (Robin Seggelmann). He worked on the project OpenSSL in the process of obtaining a doctoral degree from 2008 to 2012. Dramatic situation adds to the fact that the code has been sent to the repository, December 31, 2011 at 23:59, although the Zeggelman He argues that it does not matter, "I am responsible for the mistake, as I wrote the code and did all the necessary checks. "

At the same time, since OpenSSL - an open source project, it is difficult to blame the error of someone one. Project code is complex and contains a large number of complex functions, and specifically Heartbeat - not the most important of them.

Is it true that damn State Department The US government used Heartbleed to spy two years before the publicity?

It's not clear yet. Known news agency Bloomberg reported that this is the case, but it goes all the NSA denies. Regardless, the fact remains - Heartbleed is still a threat.

Should I worry about my bank account?

Most banks do not use OpenSSL, preferring proprietary encryption solution. But if you are plagued by doubts - just contact your bank and ask them the relevant question. In any case, it is better to follow the development of the situation, and official reports from banks. And do not forget to keep an eye on transactions in your account - in the case of transactions unfamiliar to you, take the appropriate action.

How do I know whether to use already Heartbleed hackers to steal my personal data?

Unfortunately, no - use this vulnerability does not leave any trace of the server logs the intruder activity.

Whether to use the program to store your passwords, and what?

On the one hand, Heartbleed once again raises the question about the value of a strong password. As a consequence of the mass change passwords, you may wonder how you can even enhance your security. Of course, password managers are trusted assistants in this case - they can automatically generate and store strong passwords for each site individually, but you have to remember only one master password. Online LastPass password manager, for example, insists that he is not subjected to Heartbleed vulnerability, and users can not change your master password. In addition to LastPass, we recommend paying attention to such proven solutions like RoboForm, Dashlane and 1Password.

In addition, we recommend using a two-step authentication wherever possible (Gmail, Dropbox and Evernote already support it) - then when authorization, in addition to the password, the service will ask for a one-time code that is given to you in a special mobile application or sent through SMS. In this case, even if your password is stolen, an attacker can not simply use it to login.