When you connect to a secure website or service, a private connection is established between your browser and the web server. You can usually see this by the padlock icon and https text that appears at the start of the website address in your browser's address bar.
This connection is validated by a certificate that the server issues to let your browser know that it is who it claims to be. Data transferred between the two is then encrypted via Secure Socket Layer (SSL), or its successor Transport Layer Security (TLS), which uses a mixture of public, private and symmetric keys that ensure only your computer and the web server can decrypt and read the sensitive information.
Once the session ends the keys are made redundant and discarded, as new ones are created the next time you log on. At least that's the way it's meant to work. Unfortunately a modification in the OpenSSL code called Heartbeat left a very serious hole in this supposedly secure process. It was discovered that by using a simple technique it was possible for hackers to download packets of data from previous secure sessions on servers running the code. This could include personal information and, more importantly, the actual keys used to protect them.
"Basically, an attacker can grab 64K of memory from a server" wrote security expert Bruce Schneier on his blog. "The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11."
Steve Gibson, co-host of the Security Now podcast, also commented on his show about the further capabilities of the bug, stating "It is a bidirectional exploit. So if the client had this then something you've connected to could come and get memory from you as well."
The bug was initially discovered by Finnish security company Codenomicon, with Google engineer Neel Mehta also being credited. While testing a new variant of its Safeguard software, engineers at Codenomicon found worrying errors relating to OpenSSL. To further explore the bug the engineers decided to hack their own site.
"We have tested some of our own services from [an] attacker's perspective", the company revealed on its hastily assembled Heartbleed website. "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
Sign up for Computerworld eNewsletters.