24 | April | 2014 | Impressions

Heartbleed

It has now been revealed that a very serious bug was independently discovered by a team of security engineers at Codenomicon and Google Security, and they reported it to the OpenSSL team.

Antti Karjalainen, Riku Hietamaki, and Matti Kamunen at Codenomicon found the bug while improving the SafeGuard feature in their Defensics security testing tools. They reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

Google Security’s Neel Mehta, who worked independently of Codenomicon team is also credited with being the first to discover the flaw and reported it to the OpenSSL team.

Now this bug has been nicknamed “Heartbleed” and CVE-2014-0160 is the official reference to this bug. Common Vulnerabilities and Exposures (CVE) is the Standard for Information Security Vulnerability Names maintained by MITRE.

OpenSSL, used by most Internet websites, is a set of open source software tools to handle secure communication. This secure technology is represented in URL addresses by the “s” in HTTPS, indicating our communications with that particular site are encrypted and a third person would not be able to read any information sent or received. SSL turns our communication into a coded strain that has to be unlocked by a digital key. Here is what it looks like for the Facebook login page:

According to Matthew Green, cryptographer and Assistant Research Professor at the Johns Hopkins University, the Heartbleed vulnerability is in the OpenSSL software which was not cleverly engineered to be this way, but the result of a “mundane coding error”.

The Heartbleed bug allows an attacker to read sensitive information from vulnerable servers and possibly steal items like passwords, cookies, and encryption keys.

The author of the article “The Heartbleed Bug” published in heartbleed.com says:

“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

To the question “How to stop the leak?”, he says:

“As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”

In the post “Heartbleed Security Update“, Barry Abrahamson, the Chief Systems Wrangler at Automattic, responsible for running the globally distributed infrastructure that powers WordPress.com, Akismet, VaultPress, IntenseDebate, and others revealed that the WordPress.com servers “were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.”

Barry assures us that WordPress.com fixed the issue by patching all their servers within a few hours of the public disclosure and replaced all SSL certificates and private keys. He said:

“Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy so that even if our private keys were compromised, they could not have been used to decrypt old encrypted communication.”

About resetting password by users on WordPress.com, Barrys said that at this time, they will not be forcing their users to change their password. He added:

“If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.”

Now, with the assurance by Barry on behalf of WordPress.com, I feel secure.