Internet bleeds with Heartbleed bug

Internet is abuzz about this new bug named “Heartbleed”, it’s a bug(flaw) NOT a virus or malware. It’s a security vulnerability in OpenSSL(more details below) protocol.This bug which allegedly was part of the version released on April 19,2012 has a little bug, a mistake by a programmer allows anyone with technical knowledge to retrieve information from the websites which is using OpenSSL for encryption.
Internet bleeds with Heartbleed bug

What is Heartbleed?

Heartbleed, believed to be one of the biggest bug in the modern Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites.

Around 500,000 websites may be affected by this bug but there is no reliable information on that front. The vulnerability is in the built-in feature of OpenSSL called heartbeat. When you access any website which is SSL enabled (https:// instead of http:// for secured connections), the data exchanged over the SSL channel is encrypted and decrypted based on the requests and that request – response and conveying whether or not the connection is active is called hearbeat.

Why is it called heartbleed?

HeartBleed was named by Ossi Herrala, a systems administrator at Codenomicon. It’s a more common name to describe the bug, the more technical name is CVE-2014-0160.

What sites are affected?

Internet bleeds with Heartbleed bug. The issue is widespread, almost 38% of the internet sites use OpenSSL for encryption however financial institutions and other businesses use their own proprietary encryption software so those sites are not affected by this bug. Some of the businesses are slow to embrace newer versions or have not updated to the newer versions of OpenSSL, this flaw was introduced in the version released on April 19,2012 so any businesses or websites which have older versions of OpenSSL installed may not be affected.

List of popular sites and their status

NameIs it affected?Action?
GMailYesChange your password
GoogleYesChange your password
FacebookNot SureChange your password
TwitterNot sureNot sure
PinterestYesChange your password
InstagramYesChange your password

Mashable has the handy list ready listing the affected sites and what actions to take.

Should I care as a user?

Yes, bug is affecting major websites. The sites using OpenSSL have been vulnerable from April 19,2012 and your passwords and other sensitive information might have been compromised. So it’s better to be safe than sorry. Even if the major websites are stating that they have fixed the bug or updated their security to cover the flaw, you should consider changing the password. After all, its your data, your account.

The bug makes those supposedly secure sites an "open book". Anyone with knowledge of that vulnerability would have found a way to harvest passwords and other data from the web.

Should I care as a publisher?

Yes, if you are using OpenSSL for your sites. You should fix your sites. To start with, you can use below tools to find if your site is affected.

Qualys SSL Labs and Filippo and LastPass
Note from

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

What is this bug?

The bug itself is a very simple mistake done by a programmer but is causing the internet the biggest scare of its history. The bug allows anyone to retrieve information from the open connection on the web server without leaving any trace.The information may contain usernames, passwords, encryption keys, credit card numbers and other useful information.

When was it discovered?

It surfaced on April 7, it was made public on April 7.

Who discovered the bug?

Google researcher Neel Mehta and Finnish security firm Codenomicon, both found the bug independently but surprisingly on the same day. Heartbleed has been called “One of the most serious security problems to ever affect the modern web”.

What applications or sites are affected?

Mashable has the handy list ready listing the affected sites and what actions to take.

What is SSL?

SSL stands for Secured Sockets Layer and its also known by its newer name TLS(Transport Layer security). Ever noticed https:// in the URL of any site you are using, SSL encrypts the all data transmitted over  SSL channel and is decrypted at the destination on adhoc basis. All passwords, usernames, credit card information and other sensitive information across SSL channel is encrypted so hackers cannot eavesdrop on you and retrieve the information.

What is OpenSSL?

OpenSSL is an opensource project for SSL – TLS implementation across the web. Two –thirds of the websites use OpenSSL. It provided basic cryptographic functions to prevent hackers from retrieving personal data submitted by users to a website.

Did NSA(National Security Agency) exploit heartbleed bug?

Is OpenSSL project funded enough to act as a backbone of two third of the internet websites?

Are other devices like phones, internet-enabled home devices affected?

1 comment:

  1. Thanks for sharing! Love the details