When two hosts share sensitive data between them, the communication must be encrypted. And, SSL/TLS is used for that purpose.
OpenSSL is one of the most common implementations of SSL/TLS. And, Heartbleed is a newly discovered security vulnerability in OpenSSL which enables attackers to steal sensitive data like login credentials, personal data or even decryption keys that are communicated over SSL/TLS.
Heartbleed Security Vulnerability
When two hosts communicate over TLS, the session must be kept alive upto a certain amount of time, even if no real communication has happened in that time. This saves the users from re-entering his login credentials again and again, if the session terminates in the middle.
Heartbeat is an extension of TLS protocol which is used for this purpose. Using this extension, the TLS session between two hosts are verified.
In Heartbleed, attackers exploit security vulnerability present in the Heartbeat extension to steal sensitive data transferred over TLS.
How do attackers exploit Heartbleed
As said above, Heartbeat extension verifies that both the hosts communicating over TLS are still connected and available for communication. For that purpose, Heartbeat sends a message to OpenSSL server and the message is then relayed back to the sender.
This Heartbeat message contains mainly two components – information on the payload size and the actual payload. This payload can be up to 64 KB in size.
But, in Heartbeat, there is no check made to verify whether the actual payload size is same as the payload size actually mentioned. And, attackers take advantage of this vulnerability to perpetrate attacks.
Supppose, an attacker spoofs the information on payload size and indicates it to be 64 KB, even though the actual payload is on size 1 KB only.
As the Heartbeat extension does not verify the information, the server would receive 1 KB of payload data, but in return it would send back to the other host 64 KB of data. It would send 1 KB of data it actually received, along with 63 KB of data stored in adjacent memory. And, that 63 KB of additional data may contain sensitive data like login credentials, personal data or even decryption keys.
How does Heartbleed pose a threat
It is quite possible that, the attacker may initially receive no useful information in the additional 63 KB of data. But, if the attackers exploit the vulnerability again and again and make repeated attacks, it becomes highly probable that the attacker would get enough sensitive data.
We can take a couple of steps to safeguard us from this attack :
- Version of OpenSSL should be upgraded to the latest available version.
- After upgrading the OpenSSL version, if you think webserver certificates may have been compromised, contact the certificate authority for a replacement.
- If you think, you may have been attacked, reset the end-user passwords.
- Avoid responding to potential Phishing emails asking for resetting passwords. Instead, stick with the official site domain.
- Monitor your bank and credit card statements to check whether any unusual transactions are made.