Understanding the Heartbleed Bug

This might be a little too late for this because it’s been almost a week after the public announcement of this dangerously popular Heartbleed bug.

But I must admit, I didn’t really understand what they were talking about until I found this kinda funny comic illustration of how this bug works (see below). All I got from the official site are technical mumbo jumbo that made me think it would still take me a few hundred books more before I can really say I understand the internet.

Sure, I was able to setup dedicated servers, proxies, websites, apps and other stuff but the more I learn things, the more I find out that I know only so little. You probably heard that from somewhere already, and I did too, but I couldn’t really feel it that much before.

So, back to the Heartbleed bug. For those who have never heard of it yet, it is a vulnerability issue with the OpenSSL cryptographic software library. This is the most widely-used software that secures our connection to websites on the internet. Especially the important and sensitive ones like our banks and web-based emails.

You see those sites that you access with  https://  at the beginning of their URL’s instead of the plain and more traditional  https:// ?

Those sites use SSL (Secure Socket Layer) or the more recent TLS (Transport Layer Security) to make sure that when you access them, your browser is sending and receiving data only from them and NOT from some evil hacker impersonating their site to steal your sensitive details.

This is very important especially with stuff that involves finances. Just imagine what someone could do if they could login to your online bank account. You can then probably just say goodbye to all your hard-earned money in there.

OpenSSL is the software that is used to implement Transport Layer Security in Apache and Nginx web servers. These two software alone power 66% of all the active sites on the internet today. And there are still other types of web server that probably use OpenSSL also.

If you are running an e-commerce website that takes payments right on your site, you most probably have an SSL certificate installed in order to serve your site in https protocol to your visitors. And if the web server running your site is either Apache or Nginx, you’re most probably affected with this bug.

For more details of this bug, you should check out the info site they put up for this: heartbleed.com.

On that site, they explain that the Heartbleed bug is:

A serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Further, they use the term “leak” to describe how encrypted data comes out of its supposedly secure connection. But you can’t really understand what geeks are talking about unless you are a geek in this field yourself.

So here’s a much simpler explanation of how this bug really works, a comic illustration from xkcd.com:

heartbleed bug explanation

You probably have been advised by your hosting provider already on how to check and fix this vulnerability. But just in case you haven’t, here is how you can easily test your site if it’s affected and still vulnerable: https://filippo.io/Heartbleed/.

Filippo also provides a good FAQ page on there, for you to check out and probably get some more questions answered.

If you’ve just heard about this now and you’ve found out that your site is vulnerable, contact your hosting provider immediately and get instructions on how to update your OpenSSL installation to the latest, secure version. Each hosting provider have their own way of setting up their hosting environment so we can’t cover the exact how-to-fix-it guide here.

Don’t wait until your customers’ credit card numbers are already in the wrong hands. Be safe.