A bug was discovered in OpenSSL, CVE-2014-0160, that has since been named “The Heartbleed Bug”. If you have not heard about this, have a look at this website that explains the bug in detail much better than I can with my limited understanding of crypto. In short:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The bug is said to affect 2 out of 3 web servers on the internet which is a staggering amount. This can include your website hosting server, your banks web server, email server etc etc. What’s worse is that this bug has been around since 2011 and those that have potentially been exploiting this bug have gone undetected as exploits leave no trace on the affected server. OpenSSl is an open source piece of software that is used all over the world including OS X. However, from what I can tell, all versions of OS X are not affected by this bug.
The vulnerability was introduced in OpenSSL version 1.0.1 in early 2012 and was not fixed until April 7th of this year when version 1.0.1g was released. Luckily, Apple had decided to deprecate OpenSSL from it’s systems in 2012 due to stability issues. The last version of OpenSSL shipped by Apple was 0.9.8y which is still included in the latest 10.9.2 Mavericks. OpenSSL has also never been provided as a part of iOS. This goes for both Client and Server versions of OS X.
Even though Macs and iOS devices are safe from this particular bug, there are still many servers out there that do not run OS X and/or have chosen to upgrade the OpenSSL on their OS X machines themselves. Connecting to these vulnerable servers can still compromise the data that is supposed to be encrypted. Now that the word is out, administrators all over the world are scrambling to update their versions of OpenSSL but it is a race against the clock. As with all newly discovered vulnerabilities there are many people out there that are eager to exploit them before they get fixed. Exploits have already been demonstrated and discussed for Yahoo Mail for example. Any server that has not updated their OpenSSL to version 1.0.1g will remain vulnerable and unfortunately there will be many that take their time updating, if ever. There is a way to use a current version and still patch it to fix the vulnerability. Apparently recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag is equally effective.
It is recommended to check with the companies/services you use if this bug was a concern and if so, if it has been patched. If it has indeed been patched, change passwords immediately. Changing passwords before the bug is patched is useless as the new password can be compromised just as easily as the old one. Luckily most responsible companies and services are doing everything they can to update their OpenSSL versions and proudly let their customers know this process is underway or completed. For all others, follow up yourself.
For years we assumed this portion of the internet was safe, only to be proven it was not later. Now that there is a fix we can all go back to believing it’s safe, or can we? Probably not. By now we all know that the illusion of safety is just that, an illusion. Ed Snowden has opened our eyes to that. More vulnerabilities will be discovered in systems we trust, not just OpenSSL. As we are not psychics we won’t know what these vulnerabilities will be so it’s hard to prepare but there are some ways you can better protect yourself.
In this particular case, let’s say your mailserver is running a vulnerable version of OpenSSL, and someone has exploited it. That person now has your name and password. If you use the same password for other sites and services, that person can now potentially access those as well, even though those other servers were not vulnerable to this particular bug. So, always use different passwords for different sites and services. This way if one is compromised, the other should be safe. I have covered passwords before here, here and here. Luckily the severs hosting this website, our email, my bank and other services I use have all patched and/or updated their servers.
Update: Something I had not even thought about was brought to my attention by this article. Indeed most modems, routers, firewalls and other network equipment use OpenSSL as well. Disabling remote management features on most common home routers should be enough to protect yourself from this particular bug but this will not be easy on modems, which use SSL connections that allow your Internet Service Provider secure access remotely when you call tech support about an issue.
If readers have more information on this that may be relevant please do not hesitate to leave comments.