How Did Heartbleed Put the Whole Internet in Danger?

A tiny bug has the Web community terrified.

National Journal
Alex Brown and Reena Flores
April 14, 2014, 9:36 a.m.

{{ BIZOBJ (video: 4883) }}

Dear In­ter­net user, by now you’ve prob­ably heard about the Heart­bleed bug. Hope­fully you’ve already changed your pass­words. You’re prob­ably won­der­ing how a tiny flaw came to put the whole Web at risk. Here’s what happened.

Much of the In­ter­net re­lies on free, vo­lun­teer-cre­ated code. In this case, the bug was found in an en­cryp­tion lib­rary called OpenSSL, a pro­ject run by four people who work on it part-time. The 15-year-old soft­ware is nearly ubi­quit­ous, se­cur­ing about two-thirds of en­cryp­ted In­ter­net con­nec­tions.

To put it in sim­pler terms, something like half a mil­lion web­sites use code cre­ated by OpenSSL for their en­cryp­tions. You may have heard of a few: Google, Ya­hoo, OK­Cu­pid, In­s­tagram, and Tur­bo­Tax are among the sites af­fected.

So what caused the prob­lem? Well, con­nec­ted sys­tems like to com­mu­nic­ate peri­od­ic­ally to make sure their coun­ter­parts are still on­line. This is known as a heart­beat, something like the pulsing beats sent out by mon­it­ors in hos­pit­al rooms.

A heart­beat con­sists of two things: 1) a tiny amount of in­form­a­tion, and 2) a num­ber de­not­ing just how much in­form­a­tion is sent. One com­puter will send ran­dom data, say 16 kilo­bytes worth, and tell the oth­er just what it should ex­pect to re­ceive.

The re­ceiv­ing com­puter will re­spond, ac­know­ledging the num­ber and send­ing the re­ceived data right back. This is how both com­puters know the oth­er is still around.

This is where the prob­lem comes in. In OpenSSL, the re­ceiv­ing com­puter looks only at the num­ber, not the ac­tu­al amount of data. When it re­sponds, the data it re­turns matches the num­ber af­fixed to the ori­gin­al mes­sage.

This wouldn’t nor­mally be a prob­lem, since heart­beats auto­mat­ic­ally match the num­ber with the data be­ing sent. But if a hack­er ma­nip­u­lated a heart­beat to send a false num­ber, it could cause trouble.

For in­stance, if a hack­er sent a heart­beat con­sist­ing of 16 kilo­bytes of data, but told the re­ceiv­ing com­puter it was send­ing 32, the com­puter would send 32 right back. It would make up the dif­fer­ence by grabbing ran­dom bits of data from its own memory.

That data could in­clude pass­words, cred­it cards num­bers and all kinds of sens­it­ive in­form­a­tion. Of course, it’s un­likely those are the things your com­puter would ran­domly se­lect, but over time — as heart­beats re­peat over and over — hack­ers could po­ten­tially pile up troves of in­form­a­tion, which they could then search for pat­terns to identi­fy ex­ploit­able ma­ter­i­al.

No one really knows if hack­ers were aware of the Heart­bleed flaw. It’s been around for two years, so if ma­li­cious op­er­at­ors re­cog­nized the bug a while ago, nearly every­one’s on­line pres­ence could be at risk.

On the oth­er hand, if the en­gin­eers who dis­covered it were the first to be aware of its pres­ence, you might be in the clear.

What We're Following See More »
What the Current Crop of Candidates Could Learn from JFK
1 days ago

Much has been made of David Brooks’s recent New York Times column, in which confesses to missing already the civility and humanity of Barack Obama, compared to who might take his place. In, Jeffrey Frank reminds us how critical such attributes are to foreign policy. “It’s hard to imagine Kennedy so casually referring to the leader of Russia as a gangster or a thug. For that matter, it’s hard to imagine any president comparing the Russian leader to Hitler [as] Hillary Clinton did at a private fund-raiser. … Kennedy, who always worried that miscalculation could lead to war, paid close attention to the language of diplomacy.”

Maher Weighs in on Bernie, Trump and Palin
1 days ago

“We haven’t seen a true leftist since FDR, so many millions are coming out of the woodwork to vote for Bernie Sanders; he is the Occupy movement now come to life in the political arena.” So says Bill Maher in his Hollywood Reporter cover story (more a stream-of-consciousness riff than an essay, actually). Conservative states may never vote for a socialist in the general election, but “this stuff has never been on the table, and these voters have never been activated.” Maher saves most of his bile for Donald Trump and Sarah Palin, writing that by nominating Palin as vice president “John McCain is the one who opened the Book of the Dead and let the monsters out.” And Trump is picking up where Palin left off.