In early April 2014, news of the Heatbleed security vulnerability was announced to the world. This flaw affects the security of supposedly secure SSL (read HTTPS) communications between your browser and your service provider, such as your bank. Specifically, it only impacts services which run on Apache web servers implementing the later releases of the OpenSSL utility application. This flaw allows hackers to read the content of server memory – effectively able to read the content of your secure-channel communications – everything that you see on the page of your bank’s website.
There are a number of interesting points about this particular flaw:
- It only impacts those who have ‘done the right thing’ and regularly updated their platforms with latest software releases – seems staying with older releases would have been the better option.
- It does not impact Windows/IIS servers providing secured websites – we have been led to believe for a long time that Windows’ technology is so more insecure than the open-source LAMP platform (read Linux, Apache, MySQL, PHP) – because ‘so many developers work on open-source code it’s got to be better’ – guess all those posts will need re-writing now.
- This flaw has existed for over two years – since March 2012 – what happened to all the ‘eyes-on-code’ of the open-source developer community during this period?
While code has now been produced to correct this flaw, the damage may have already been done – how many hackers have known of, and exploited, this flaw in the past two years – without leaving any record of their attack? How much of our secure information exchange has already been compromised? The answer is, we will never know.
What to Do?
If you run secure services on Apache webserver, make sure you check whether you are using flawed version of OpenSSL and take corrective action as proscribed in many other places.
If you use SSL-secured services – who doesn’t? – make sure you check if your service was compromised. if so, you need to change your passwords for these sites. You may also check any other sites at https://filippo.io/Heartbleed/ – just enter your url to test.