How Did Heartbleed Put the Whole Internet in Danger?

A tiny bug has the Web community terrified.

National Journal
Alex Brown and Reena Flores
April 14, 2014, 9:36 a.m.

{{ BIZOBJ (video: 4883) }}

Dear In­ter­net user, by now you’ve prob­ably heard about the Heart­bleed bug. Hope­fully you’ve already changed your pass­words. You’re prob­ably won­der­ing how a tiny flaw came to put the whole Web at risk. Here’s what happened.

Much of the In­ter­net re­lies on free, vo­lun­teer-cre­ated code. In this case, the bug was found in an en­cryp­tion lib­rary called OpenSSL, a pro­ject run by four people who work on it part-time. The 15-year-old soft­ware is nearly ubi­quit­ous, se­cur­ing about two-thirds of en­cryp­ted In­ter­net con­nec­tions.

To put it in sim­pler terms, something like half a mil­lion web­sites use code cre­ated by OpenSSL for their en­cryp­tions. You may have heard of a few: Google, Ya­hoo, OK­Cu­pid, In­s­tagram, and Tur­bo­Tax are among the sites af­fected.

So what caused the prob­lem? Well, con­nec­ted sys­tems like to com­mu­nic­ate peri­od­ic­ally to make sure their coun­ter­parts are still on­line. This is known as a heart­beat, something like the pulsing beats sent out by mon­it­ors in hos­pit­al rooms.

A heart­beat con­sists of two things: 1) a tiny amount of in­form­a­tion, and 2) a num­ber de­not­ing just how much in­form­a­tion is sent. One com­puter will send ran­dom data, say 16 kilo­bytes worth, and tell the oth­er just what it should ex­pect to re­ceive.

The re­ceiv­ing com­puter will re­spond, ac­know­ledging the num­ber and send­ing the re­ceived data right back. This is how both com­puters know the oth­er is still around.

This is where the prob­lem comes in. In OpenSSL, the re­ceiv­ing com­puter looks only at the num­ber, not the ac­tu­al amount of data. When it re­sponds, the data it re­turns matches the num­ber af­fixed to the ori­gin­al mes­sage.

This wouldn’t nor­mally be a prob­lem, since heart­beats auto­mat­ic­ally match the num­ber with the data be­ing sent. But if a hack­er ma­nip­u­lated a heart­beat to send a false num­ber, it could cause trouble.

For in­stance, if a hack­er sent a heart­beat con­sist­ing of 16 kilo­bytes of data, but told the re­ceiv­ing com­puter it was send­ing 32, the com­puter would send 32 right back. It would make up the dif­fer­ence by grabbing ran­dom bits of data from its own memory.

That data could in­clude pass­words, cred­it cards num­bers and all kinds of sens­it­ive in­form­a­tion. Of course, it’s un­likely those are the things your com­puter would ran­domly se­lect, but over time — as heart­beats re­peat over and over — hack­ers could po­ten­tially pile up troves of in­form­a­tion, which they could then search for pat­terns to identi­fy ex­ploit­able ma­ter­i­al.

No one really knows if hack­ers were aware of the Heart­bleed flaw. It’s been around for two years, so if ma­li­cious op­er­at­ors re­cog­nized the bug a while ago, nearly every­one’s on­line pres­ence could be at risk.

On the oth­er hand, if the en­gin­eers who dis­covered it were the first to be aware of its pres­ence, you might be in the clear.

What We're Following See More »
Kristol Recruiting National Review’s David French for Third-Party Run
46 minutes ago

"Two Republicans intimately familiar with Bill Kristol’s efforts to recruit an independent presidential candidate to challenge Donald Trump and Hillary Clinton have told Bloomberg Politics that the person Kristol has in mind is David French -- whose name the editor of the Weekly Standard floated in the current issue of the magazine.

French is a veteran of Operation Iraqi Freedom. According to the website of National Review, where French is a staff writer, he is a constitutional lawyer, a recipient of the Bronze Star, and an author of several books who lives in Columbia, Tenn., with his wife Nancy and three children."

Jerry Brown Backs Clinton
2 hours ago

California Gov. Jerry Brown endorsed Hillary Clinton today, calling her "the only path forward to win the presidency and stop the dangerous candidacy of Donald Trump." While praising Sen. Bernie Sanders' campaign, Brown said "Clinton’s lead is insurmountable and Democrats have shown – by millions of votes – that they want her as their nominee. ... This is no time for Democrats to keep fighting each other. The general election has already begun."

Clinton Says Voters Still Hung Up on Gender
5 hours ago

In a New York Magazine profile, Hillary Clinton said she still encounters misogyny at her own events: “‘I really admire you, I really like you, I just don’t know if I can vote for a woman to be president.’ I mean, they come to my events and then they say that to me.”

Trump Vows Not to Change
5 hours ago
McConnell Urging Rubio to Run for Reelection
8 hours ago

Senate Majority Leader Mitch McConnell: "One of the things that I’m hoping, I and my colleagues have been trying to convince Senator Marco Rubio to run again in Florida. He had indicated he was not going to, but we’re all hoping that he’ll reconsider, because poll data indicates that he is the one who can win for us. He would not only save a terrific senator for the Senate, but help save the majority. ... Well, I hope so. We’re all lobbying hard for him to run again."