On Monday afternoon, the OpenSSL project posted an emergency security advisory about an open bug called Heartbleed. The bug gave attackers “access to private keys to OpenSSL servers, letting attackers listen in on data traffic and potentially masquerade as the server.” Two out of three servers on the web rely on OpenSSL, giving Heartbleed vast amounts of data to choose from. Apparently, Heartbleed has been alive and kicking for two years now and nobody knows the true extent of the data breach.
What is OpenSSL, you may ask? According to Wikipedia:
“OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions.”
“Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.”
Heartbleed’s core target are the encryption keys, which are saved on the server’s memory. With this outlet, attackers can spy on new traffic to and from the service and decrypt older traffic that may exist on the servers in encrypted form.
The IT world is calling this a catastrophic event. Hopefully, someone will get to the bottom of this.
Read Russell Brandom‘s article, Why Heartbleed is the most dangerous security flaw on the web from The Verge.