How Did Heartbleed Put the Whole Internet in Danger?

A tiny bug has the Web community terrified.

National Journal
Add to Briefcase
Alex Brown and Reena Flores
April 14, 2014, 9:36 a.m.

Dear In­ter­net user, by now you’ve prob­ably heard about the Heart­bleed bug. Hope­fully you’ve already changed your pass­words. You’re prob­ably won­der­ing how a tiny flaw came to put the whole Web at risk. Here’s what happened.

Much of the In­ter­net re­lies on free, vo­lun­teer-cre­ated code. In this case, the bug was found in an en­cryp­tion lib­rary called OpenSSL, a pro­ject run by four people who work on it part-time. The 15-year-old soft­ware is nearly ubi­quit­ous, se­cur­ing about two-thirds of en­cryp­ted In­ter­net con­nec­tions.

To put it in sim­pler terms, something like half a mil­lion web­sites use code cre­ated by OpenSSL for their en­cryp­tions. You may have heard of a few: Google, Ya­hoo, OK­Cu­pid, In­s­tagram, and Tur­bo­Tax are among the sites af­fected.

So what caused the prob­lem? Well, con­nec­ted sys­tems like to com­mu­nic­ate peri­od­ic­ally to make sure their coun­ter­parts are still on­line. This is known as a heart­beat, something like the pulsing beats sent out by mon­it­ors in hos­pit­al rooms.

A heart­beat con­sists of two things: 1) a tiny amount of in­form­a­tion, and 2) a num­ber de­not­ing just how much in­form­a­tion is sent. One com­puter will send ran­dom data, say 16 kilo­bytes worth, and tell the oth­er just what it should ex­pect to re­ceive.

The re­ceiv­ing com­puter will re­spond, ac­know­ledging the num­ber and send­ing the re­ceived data right back. This is how both com­puters know the oth­er is still around.

This is where the prob­lem comes in. In OpenSSL, the re­ceiv­ing com­puter looks only at the num­ber, not the ac­tu­al amount of data. When it re­sponds, the data it re­turns matches the num­ber af­fixed to the ori­gin­al mes­sage.

This wouldn’t nor­mally be a prob­lem, since heart­beats auto­mat­ic­ally match the num­ber with the data be­ing sent. But if a hack­er ma­nip­u­lated a heart­beat to send a false num­ber, it could cause trouble.

For in­stance, if a hack­er sent a heart­beat con­sist­ing of 16 kilo­bytes of data, but told the re­ceiv­ing com­puter it was send­ing 32, the com­puter would send 32 right back. It would make up the dif­fer­ence by grabbing ran­dom bits of data from its own memory.

That data could in­clude pass­words, cred­it cards num­bers and all kinds of sens­it­ive in­form­a­tion. Of course, it’s un­likely those are the things your com­puter would ran­domly se­lect, but over time — as heart­beats re­peat over and over — hack­ers could po­ten­tially pile up troves of in­form­a­tion, which they could then search for pat­terns to identi­fy ex­ploit­able ma­ter­i­al.

No one really knows if hack­ers were aware of the Heart­bleed flaw. It’s been around for two years, so if ma­li­cious op­er­at­ors re­cog­nized the bug a while ago, nearly every­one’s on­line pres­ence could be at risk.

On the oth­er hand, if the en­gin­eers who dis­covered it were the first to be aware of its pres­ence, you might be in the clear.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.