Technology & Data
- Big Data
- Tech & Innovation
How to Get Your Sales and Marketing Teams to Work in HarmonyContent Marketing for Midsized Companies: Whom to Target, What to CreateAtri Chatterjee of Act-On Software on the New Generation of MarketersMarketing Automation: What It Is and Why You Need to Know
- Social Tools
Join us September 15th in Atlanta for The Employee Advocacy Summit and learn how to unleash the power of your employees.
Post your event here and we'll share it with our community. If one of our members is featured, we'll promote as well on their profile.
- Marketplace & Webinars
The SMT Marketplace
Your resource for exclusive content and insights from Social Media Today, and opportunities to reach our community of professionals.
The Social Business Book Club brings you books, discussions, and insights from today's to business thought leaders.
Join interactive talks and and panel discussions with leading thinkers and practitioners on social media and networked business, or browse the catalogue of recorded sessions - all completely free.
Reach Social Media Today's community of marketing and communications professionals in an editor-approved context with a native advertising package.
Meet Heartbleed: The Huge New Security Flaw for Secure Websites
Posted on April 15th 2014
Internet researchers have found a brand new, very serious vulnerability called the Heartbleed Bug, which makes it possible for hackers to steal encrypted information from secure websites that run certain versions of OpenSSL.
This bug allows attackers to access the memory of the websites running vulnerable versions of OpenSSL software, including the secret keys used to encrypt messages sent by those websites. This gives attackers the ability to decrypt and steal supposedly secure data captured during an encrypted web session.
A Quick Review of Secure Websites (HTTPS)
Online retailers and banks use HTTPS -- short for Hypertext Transfer Protocol Secure -- to secure messages sent and received by their websites. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website’s traffic is secured using HTTPS.
The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the website is authentic and that all data passed between you and the website remains private.
Secure websites rely on SSL -- and TLS, Transport Layer Security (a newer version of SSL) for creating encrypted sessions. TLS/SSL uses cryptographic keys contained in digital certificates to allow your browser to confirm that web servers are who they say they are. TLS/SSL then generates secret keys used to make sure the data exchanged between you and a secure website is kept private. A hacker that captures SSL/TLS-encrypted messages sees only gibberish – unless he has the secret keys used to encrypt those messages.
OpenSSL and Heartbleed
OpenSSL is an open source software package that many website developers use to perform TLS/SSL encryption. Unfortunately, due a small coding error, certain versions of OpenSSL allow any attacker to send a “heartbeat” message which retrieves small chunks of a vulnerable web server’s memory. By sending heartbeats repeatedly, the attacker can collect quite a bit of information from the server, including secret keys used by TLS/SSL.
This is a big deal, because if attackers can harvest those secret keys, they can use them to decrypt messages sent and received by that server, now or at any time in the past. By decrypting your messages, attackers can steal your website login information as well as other sensitive information like any credit card information exchanged with an online retailer website like Amazon.
In addition, this OpenSSL security flaw – dubbed “Heartbleed” -- also allows attackers to see how the website is identifying itself through digital certificates. With this stolen certificate information, cyber thieves can create fake websites that look authentic to both you and your browser.
And the worst part about it is that you would have no idea that an attack had taken place because the stolen website certificate appears to be authentic.
What You Can Do to Mitigate the Risks
Luckily, not all versions of OpenSSL contain this security flaw. There are newer versions out there that have fixed this bug, and discovery of this very high-profile bug will likely trigger a rapid wave of website updates to eliminate it.
But this security flaw has been there for two years, and many websites still use vulnerable versions of OpenSSL, If you have an account with an impacted website, you should immediately update your login/password information. These sites will not only have to upgrade to a newer version of OpenSSL, but also change out all of the digital certificates previously issued to their web servers.
Unfortunately, there’s also no way to know if hackers used stolen secret keys to decrypt any of your account information or messages, since they would leave no trace. It’s best to assume the worst and change your logins and passwords today – not just on vulnerable websites, but on every website where you use the same or similar login/password.