Stop the World, we are going to talk about the security news of the week (maybe of the month or of the year too): the hearbleed bug (MITRE CVE).
For one who hadn’t already read something about it, the heartbleed bug is a bug of the openssl library, used to encrypt internet traffic between between client and server and also for the server authentication step.
The heartbleed bug allow the attacker to get back, after a well crafted heartbeat request, 64kbyte of server memory. What can be stored in these 64KB? Everything, encryption keys included, and the attack is not traceable.
Why this bug is so dangerous? Because first of all informations encrypted with openssl are privacy sensible informations and least but not last, over half a million of websites, including facebook and yahoo grade websites, were affected.
Stealing server’s encryption keys means that attackers may be able to decrypt all the traffic they have stolen since the correction of the bug and regeneration of new key pairs. Also, once a malicious user gets the certificate of a website, he can implement a false website that will result to your browser as the original one and you can be victim of more and more attacks.
All can be decrypted, your passwords, credit card numbers, email, every communication you thought was protected by ssl/tls protocols.
When you browse https:// websites you are using ssl and if the server uses openssl it’s possible that was affected by the heartbleed.
The heartbleed is supposed to be an implementation bug. By the way no one can assure us that a bug appeared 2 years ago (before 1.0.1 version there was not) was not deliberately put or used by intelligence agencies, like eavesdropping and cryptography backdoor programs revealed by Edward Snowden. This supposition and also a more detailed explanation is appeared on the Bruce Schneier blog: LINK
There is also a good video with a more technical explanation of the bug: LINK
If you run a server (or even if you run an OS that implements openssl security) you must upgrade to the latest safe version as soon as you can.
Generally version 1.0.1g is safe, while versions since 1.0.1f are not.
Under GNU/Linux you can type
$ openssl version
to get back in output the version used
OpenSSL 1.0.1e 11 Feb 2013
Then check you OS news, for example on Ubuntu 13.10 the version 1.0.1e is safe. Other version of Ubuntu has different openssl safe patched versions but first of all, you have to check the services you use and once they are safe, change eventually passwords.
A list of compromised services by this bug may be found here: VIA MASHABLE (Couldn’t say if this website is trusty, can’t find a list somewhere else)
If you need to visit a website, at this LINK you can check if the bug is corrected before running the website. Just put the link in the field and run the test. If the website is vulnerable then is better to renounce to the connection.
Have a nice weekend… if you don’t work for a Certification Authority. 😉