Many of you are hearing of the term “Heartbleed” over the past few days and wondering what exactly that is, and why people are so concerned about it.
Well, Heartbleed is the name of a major security vulnerability that may affect nearly two-thirds of websites online. It’s a severe situation potentially exposing your login information—your username and password—and other sensitive information about you.
WHAT IS HEARTBLEED?
It is important to understand that Heartbleed is not a virus, but it is serious vulnerability in the popular OpenSSL cryptographic software library.This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
HOW IT WORKS?
For SSL to work, your computer needs to communicate to the server via sending ‘heartbeats’ that keep informing the server that client (computer) is online (alive). Heartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on Garage4hackers]
Source:xkcd comic http://xkcd.com/1354/
IS Heartbleed A CLIENT SIDE OR SERVER SIDE VULNERABILITY?
TLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160).
WHAT SHOULD I DO?
As long as the vulnerable version of OpenSSL is in use it can be abused.The first thing you need to do is check to make sure your online services, like Yahoo and PayPal, have updated their servers in order to compensate for the Heartbleed vulnerability.
Do not change your passwords until you’ve done this. A lot of outlets are reporting that you need to do this as soon as possible, but the problem is that Heartbleed primarily affects the server end of communications, meaning if the server hasn’t been updated with Heartbleed in mind, then changing your password will not have the desired outcome.
CAN I DETECT IF SOMEONE HAS EXPLOITED THIS AGAINST ME?
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.
CAN IDS/IPS DETECT OR BLOCK THIS ATTACK?
Although the heartbeat can appear in different phases of the connection setup, intrusion detection and prevention systems (IDS/IPS) rules to detect heartbeat have been developed. Due to encryption differentiating between legitimate use and attack cannot be based on the content of the request, but the attack may be detected by comparing the size of the request against the size of the reply. This implies that IDS/IPS can be programmed to detect the attack but not to block it unless heartbeat requests are blocked altogether.
DOES TLS CLIENT CERTIFICATE AUTHENTICATION MITIGATE THIS?
No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.
CAN HEARTBEAT EXTENSION BE DISABLED DURING TLS HANDSHAKE?
No, vulnerable heartbeat extension code is activated regardless of the results of the handshake phase negotiations. Only way to protect yourself is to upgrade to fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code.
HOW DO I CHECK FOR HEARTBLEED?
If you’re concerned that a website you frequently visit has been compromised, you can check by using Heartbleed test by filippo.io. If a website is vulnerable, then the outcome clearly shows that website is vulnerable as shown in below image.