Why Heartbleed Matters
Heartbleed take frontline news recently. It is a bug with OpenSSL, a very popular open source security layer. The question is : Why heartbleed matters ?
It is a security bug. Meaning personal data are at risks.
What leaks in practice?
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
The problem escalates quickly because OpenSSL is Open Source. It provides a great aiming target by closed source supporters.
Due to the popularity of OpenSSL. This heartbleed affects around 66% of internet websites.
The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.
Can it be fixed ? Well, absolutely. We will cover that in our articles sometime this week.