Heartbleed bug: What you need to know…

I’m a little late to the party blogging about this – mainly because I was busy installing patches on all my servers yesterday. So, chances are you may have read other, more detailed posts than this one already.

What’s it all about?
When you have load a website that uses https (or other secure services, like mail), your computer connects to the remote server and requests the information. This takes a little longer than a normal insecure request, because the two computers need to agree on passwords, send login information and things like that.

And because it’s likely that you will read a web page, click on a link and request another page from the same server, the computers don’t throw away that hard work. The keep the session open so it can be re-used, by periodically sending heartbeat messages, to prove that each end of the connection is still there.

Usually, a heartbeat message takes the form of your computer saying “I’m going to send to x number of bytes of random data. Please send them back to me” and then attaching that number of bytes. The server receives the message and what you send, and sends it back. Your computer checks that what it received was the same as what it sent, and if they match then all is well.

The problem is that one of the most-used systems for doing this has a little problem. It knows you intended to send ‘x number of bytes’, but it doesn’t check you actually send them. So, a malicious attacker will say “I’m going to send you 64,000 bytes of data” but will only actually only send 1 byte. A vulnerable server will receive that 1 byte (which gets stored in its memory), and then will send back 64,000 bytes. The other 63,999 bytes will be whatever was stored in that bit of the computer’s memory at the time. And that could contain your password or other sensitive information.

Should we panic?
If you like. A lot of people are. But it won’t help much.

It appears that the bug has been around for about 2 years. We don’t know how long the “bad guys” have known about it. But if you were going to be stung by it, chances are that it’s already happened.

What should I do about it?

Firstly, you need to look to your service provides for things like email, internet banking, blogs, etc. and ensure that they have already fixed themselves up. It’s likely the major players already have.

Over the next few days, you should also keep an eye on the website for the people that make your home internet router – there may be an updated software released, and you should install it if one becomes available.

Aside from those two things, it’s time for a password change on any of the systems that were vulnerable. And anywhere else you’ve used the same password.

And this is why it’s a good idea to use a different password for every site. If you’re not already using a password manager, today is a good day to start. If your sites offer the option of one-time passwords (using something like Google Authenticator or Paypal token) or notifications of unusual logins (Facebook, Twitter & Hotmail offer these) you should consider using them too.

Update 2014-04-11:

• The always-funny xkcd.com explains the bug in cartoon form.
• The Electronic Frontiers Foundation has found some log files which demonstrate that someone knew about the bug at least as early as November 2013 and was actively exploiting it.