More than just a vulnerability in a popular program
The impact of this vulnerability is massive. 2/3 of all web servers use potentially vulnerable versions of OpenSSL for encrypted communication. Among these were sites like Google, Gmail, YouTube, Yahoo, Instagram, Pinterest, Tumblr, Doodle, Dropbox, github and many more. The good thing about this is, that the bugs were fixed very swiftly. So, the SSL/TLS infrastructure is now by far better off than before.
The real impact of this vulnerability on the other hand is not clear. Vulnerable versions go back to December 2011. Several attacks like the BEAST attack made for a wide and quick adoption of these versions. The attack is well explained in a comic strip published by XKCD which we have also posted below this text.
The effect of an exploit is that 64 KB of memory data is leaked to the attacker without leaving any trace. With this exploit one can get access to the following data:
- encryption keys for encrypted traffic (i.e. in case of abuse any SSL traffic can be decrypted)
- user name & password combinations
- encrypted content (depending on the site this could be mails, documents, transaction data, instant messages etc.)
And this is exactly what makes this bug special. The potentially stolen data persist beyond fixing the bug. An attacker who stole the encryption key can decrypt the traffic even after the bug itself is fixed. If an attacker stole passwords, it is still possible to access the accounts and abuse it. Currently we have no indication that data from such sources is traded in the cybercrime underground markets. However, looking back at the Snowden revelations, a different light is shed on the situation. If secret services (would) have used this vulnerability they would be able to continue monitoring e.g. email communication, even if it is SSL-encrypted. If someone stole user credentials, it would be possible to steal data from this account e.g. from Pinterest or Dropbox.
So, besides fixing the servers it might be necessary for providers to change the encryption keys. End users should change their passwords for accounts that might have been affected.
Just to be clear: there is no proof that anyone exploited this vulnerability. It might be that nothing happened at all. But if the Snowden affair has raised your level of paranoia, it might be worthwhile to change your passwords (after the bug was fixed on the server, of course). BTW: changing passwords regularly is not a bad idea in general.
Some closing remarks:
- This bug in OpenSSL does not mean that encryption is useless. TLS is not broken it is still an important and necessary step for maintaining privacy.
- You can test whether a web server is vulnerable here: http://filippo.io/Heartbleed/
- The use of OpenSSL goes far beyond HTTPS communication, as SANS reports.
- Our web servers were not affected by this vulnerability.
More info about the vulnerability is available at http://heartbleed.com/.
You find a mash of potentially vulnerable sites at http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/