Still reeling from the security vulnerabilities just a number of weeks ago, this week, TLS experienced a blow. TLS (also known as SSL) is the backbone of encryption on the Internet. It secures your online banking, e-mail login, and just about every site on the Internet that has a login. The vulnerability that was discovered allows an attacker to read system memory directly from the server. “Catastrophic” does not begin to describe this event. The problem is so bad that attackers have been reading and dumping plaintext passwords for individuals’ Yahoo! Mail accounts. Yes, personal email accounts are having their passwords leaked. And it does not stop there. Hundreds of sites are vulnerable (and are still vulnerable as of the writing of this article). The best way to describe this vulnerability is as a complete break of Internet security.
A while ago, the Internet Engineering Task Force (IETF) designed an extension to TLS called “heartbeat”. This extension allows browsers to send a “heartbeat” to the server every once in a while, and keep the connection open. As a brief background, TLS is a layer of encryption that goes underneath your normal Internet browsing. In other words, your browser first establishes a TLS connection with the website you are trying to browse, and only afterward does it start transmitting the actual web page. However, starting a TLS connection takes a significant amount of time, and can bog down performance. Therefore, it is useful to have a way of keeping a single connection open, and re-using it as necessary. This is where the heartbeat comes in handy.
However, in OpenSSL, which is a widely used implementation of TLS/SSL, the heartbeat extension had a bug. Actually, for the past two years it has had a bug. This bug is not a problem with TLS itself; it is just an issue with OpenSSL, and has since been fixed in the latest release. If a malicious client sends a specially crafted message to a vulnerable server, this bug allows the client to read from the server’s main memory. In practice, this allows attackers to read the private keys used to encrypt and decrypt sensitive information. With a server’s private keys, an attacker can impersonate the server, and it can eavesdrop on other people who are browsing that website. This means that emails and passwords can be decrypted. The encryption itself has become useless.
Quoting from the researchers’ web page about the vulnerability, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” Yahoo! Mail, AdFly, Tor, and numerous other services have been affected by this exploit. Luckily, Google, LastPass, and some other critical websites have not been affected. However, it is recommended that all websites update their OpenSSL installation immediately, and revoke and re-issue all X.509 certificates. If you do not know what this means, do not worry. However, be careful about browsing the Internet this week, and if a website asks you to change your password, do so as soon as possible.
Be First to Comment