How Did Heartbleed Put the Whole Internet in Danger?

A tiny bug has the Web community terrified.

National Journal
Alex Brown and Reena Flores
April 14, 2014, 9:36 a.m.

Dear In­ter­net user, by now you’ve prob­ably heard about the Heart­bleed bug. Hope­fully you’ve already changed your pass­words. You’re prob­ably won­der­ing how a tiny flaw came to put the whole Web at risk. Here’s what happened.

Much of the In­ter­net re­lies on free, vo­lun­teer-cre­ated code. In this case, the bug was found in an en­cryp­tion lib­rary called OpenSSL, a pro­ject run by four people who work on it part-time. The 15-year-old soft­ware is nearly ubi­quit­ous, se­cur­ing about two-thirds of en­cryp­ted In­ter­net con­nec­tions.

To put it in sim­pler terms, something like half a mil­lion web­sites use code cre­ated by OpenSSL for their en­cryp­tions. You may have heard of a few: Google, Ya­hoo, OK­Cu­pid, In­s­tagram, and Tur­bo­Tax are among the sites af­fected.

So what caused the prob­lem? Well, con­nec­ted sys­tems like to com­mu­nic­ate peri­od­ic­ally to make sure their coun­ter­parts are still on­line. This is known as a heart­beat, something like the pulsing beats sent out by mon­it­ors in hos­pit­al rooms.

A heart­beat con­sists of two things: 1) a tiny amount of in­form­a­tion, and 2) a num­ber de­not­ing just how much in­form­a­tion is sent. One com­puter will send ran­dom data, say 16 kilo­bytes worth, and tell the oth­er just what it should ex­pect to re­ceive.

The re­ceiv­ing com­puter will re­spond, ac­know­ledging the num­ber and send­ing the re­ceived data right back. This is how both com­puters know the oth­er is still around.

This is where the prob­lem comes in. In OpenSSL, the re­ceiv­ing com­puter looks only at the num­ber, not the ac­tu­al amount of data. When it re­sponds, the data it re­turns matches the num­ber af­fixed to the ori­gin­al mes­sage.

This wouldn’t nor­mally be a prob­lem, since heart­beats auto­mat­ic­ally match the num­ber with the data be­ing sent. But if a hack­er ma­nip­u­lated a heart­beat to send a false num­ber, it could cause trouble.

For in­stance, if a hack­er sent a heart­beat con­sist­ing of 16 kilo­bytes of data, but told the re­ceiv­ing com­puter it was send­ing 32, the com­puter would send 32 right back. It would make up the dif­fer­ence by grabbing ran­dom bits of data from its own memory.

That data could in­clude pass­words, cred­it cards num­bers and all kinds of sens­it­ive in­form­a­tion. Of course, it’s un­likely those are the things your com­puter would ran­domly se­lect, but over time — as heart­beats re­peat over and over — hack­ers could po­ten­tially pile up troves of in­form­a­tion, which they could then search for pat­terns to identi­fy ex­ploit­able ma­ter­i­al.

No one really knows if hack­ers were aware of the Heart­bleed flaw. It’s been around for two years, so if ma­li­cious op­er­at­ors re­cog­nized the bug a while ago, nearly every­one’s on­line pres­ence could be at risk.

On the oth­er hand, if the en­gin­eers who dis­covered it were the first to be aware of its pres­ence, you might be in the clear.