OpenSSL is open source software used by websites, including Google, Gmail, Facebook, Yahoo and many thousands more, to encrypt all of our data. But the Heartbleed bug, just recently discovered by two researchers, left the door wide open to data attacks on vulnerable web servers.
We also found out that the Heartbleed bug is in a version of the OpenSSL software that’s two years old — so this vulnerability could have been attacked for a very long time by someone with the resources to exploit it.
Sophos security experts helped us to understand Heartbleed and what it means, how to protect yourself, and why we should all be thankful for open source software, even if it’s not perfect.
Note to Sophos Customers: To get the most current information on how this bug affects our products, please see the knowledgebase article in the Support section of our website.
Internet skips a Heartbeat
Chester Wisniewski, Sophos senior security advisor, let us in on what Heartbleed is and why it’s so important for security on the Internet.
Chet explained that OpenSSL sends a small packet of data back and forth between web servers to make sure the connection is still working, what’s called a TLS Heartbeat.
Only now it turns out that servers could be tricked into sending system-stored data in response to a Heartbeat ping — data which could include passwords and encryption keys.
In an opinion column published on CNN.com, Chet described how two-thirds of all websites were vulnerable to Heartbleed.
Fortunately, most major Web services have already applied fixes to the affected Web servers and services. The bad news is that smaller websites as well as many companies' products that rely on OpenSSL may linger for many more years without a fix.
Chet told BuzzFeed that an even bigger concern is who might have known about the Heartbleed bug before the rest of us caught on — and the most likely organization to know would be the U.S. National Security Agency (NSA), which has the means and an interest in finding such vulnerabilities.
“That’s exactly what the leaked NSA programs are supposed to do: Find the flaws, exploit them and never tell anyone,” Chet said.
According to Chet, the “open” part of OpenSSL means this vital security software is maintained by volunteer researchers, not commercial interests.
And that means we should be focusing our attention on supporting the open parts of the Internet that we rely on for freedom of communication.
All of us have come to rely on the Internet socially, politically and economically. The billions of dollars a year being made by the tech giants would not be possible without the millions of donated hours that maintain free and open software like OpenSSL, Linux, Apache Web server, and Postfix mail server.
Sophos Security Chet Chat #142: Heartbleed explained, Patches assessed, Apple chastised
In this episode of the weekly Chet Chat podcast, Sophos experts Chester Wisniewski and Paul Ducklin dive into the Heartbleed bug and tell us what it all means.
Plus, they share their expertise on all the other big stories of the week, including the end of XP support, Apple’s patching issues, and a whole lot more.
Learn more about OpenSSL Heartbleed
Paul Ducklin, Sophos senior security analyst and writer for Naked Security, proved his chops as an encryption expert this week with his excellent coverage of the OpenSSL Heartbleed bug.
Read his articles to get all the information you need to understand and counter this bug.
- “Heartbleed” — Would 2FA have helped?
- Anatomy of a data leakage bug – the OpenSSL “heartbleed” buffer overflow
- “Heartbleed heartache” – should you REALLY change all your passwords right away?
- Sending a “Heartbleed” password reset email? Please don’t include a login link!
60 Second Security: Heartbleed, Google Play, and XP
Paul Ducklin runs down the news of the week in just about a minute, including quick summaries of Heartbleed, a Google Play scam, and XP’s last security patch.
- Google takes down fake anti-virus app that duped 10,000 users on Play Store
- Patch Tuesday April 2014 – XP’s last breath
- Patch Tuesday for April 2014 – it’s Goodbye, Farewell and Amen for Windows XP
Keep up with Sophos news
You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.