Sunday, April 13, 2014

Heartbleed bug

This word has been making rounds for last few days. While most of us are still unaware of this bug, some of us have just read about it.
Those some of us must be curious to know what exactly is this heartbleed bug all about. With my limited knowledge, I will put down what I could understand.

To begin with, we need to understand the concept of SSL that represent Secure Socket Layer. In newer version it is called TLS (Transport Layer Security).All the information on internet is in the encrypted form to avoid any body stranger get access to the information. SSL/TLS is the way for this encryption. Now, OpenSSL is one such open source software to implement SSL encryption. It is widely used by many websites on the internet. This software has been revealed to have the bug "Heartbleed" which makes the important data including username, password, bank details and many such important information  of the users available to the hacker. So, if the bank or company website is follwoing OpenSSL for data encryption, your information, your web history all is available to the hacker. 

This fact was recently revealed by two different sources on the same day. A Security firm named Codenomicon and a Google researcher name " Neel Mehta" separately revealed this lacuna but coincidentely on the same day.
Apparently the bug should be called "CVE-2014-0160" based on the line on which the bug was found, but it is given a more general name "Heartbleed" to make it popular and spread awareness faster among people about it. There is an extension of the software OpenSSL called "Heartbeat" which allows the connections to be kept open even if there is no data transfer taking place between two connections. Based on this concept, the name "Heartbleed" is given which kind of try to indicate that some unexpected data is bleeding out with out anybody's information through these open connections.
Can we avoid this leaking of information? Apparently not. If we change passwords etc in coming days, still it is of no use because untill the bug in the OpenSSL is not taken care of. Luckily, most of the banks  do not use this OpenSSL for encryption, so there are chances that your bank account details are safe with the bank.
You can check whether your sites are safe or not by visiting these sites LastPass or Qualys. Apparently Gmail was using OpenSSL and it is advised that you change your passowords. 

All of the information presented here is taken from http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/ site. Refer this site to understand the bug in more details.

No comments: