Skip to main content

Heartbleed - explained in simple terms

Overview

Heartbleed is a bug (a mistake in the implementation of the software) in a very widely used cryptographic library called OpenSSL. Whichever application that uses the buggy version of OpenSSL will be compromised as this bug has the potential to expose important and sensitive information of users. The sad part is, no one would even know if some hacker got the sensitive information of users such as passwords and credit card info.

This bug was introduced into the OpenSSL library in 2011 and it stayed there undiscovered till 2014. The OpenSSL library is an open source software that provides the implementation of the Transport Layer Security (TLS) protocol. So what the OpenSSL does is, it encrypts the information being exchanged between a client and server. 

Why is it called heartbleed?

OpenSSL library provides a heartbeat extension service which made sure the connection between the client and server was kept alive. The bug was in this heartbeat extension service which was how the name Heartbleed got derived.

How does the heartbleed bug work?

Say I am the attacker trying to attack a banking application called Foo.com. This banking application, Foo is using our buggy OpenSSL library for encrypting all the information exchanged with its users. I login to Foo, so internally all the probable networking formalities such as the TCP 3-way handshake, symmetric private key exchange etc has been completed and a connection has been setup between me and Foo's server. In order to keep this connection alive, a heartbeat extension service is running in the background. My machine would send a data or payload and the length of my payload to Foo's server. The Foo server running the OpenSSL library (written in C) receives my payload and length. The heartbeat service will find the payload I sent from its memory and send back data equal to the length I sent as shown in the image. I sent my payload 'POTATO' and its length '6'. The server finds 'POTATO' stored in its memory and sends back 6 letters.




The bug in this heartbeat service is, it does not check whether the actual length of payload and the length being sent are equal. This security check failure enables hackers to retrieve vast amounts of data from the server's memory. 

To continue with the previous example, as I am the hacker, seeing the server respond back with data equal to the length I ask, I now send a payload but a longer length. Referring to the image below, I send 'HAT' and instead of sending 3 as length, I send 500. The server finds 'HAT' from its memory and sends back 500 letters from there which could include all kinds of data such as account and credit card information of users. 




Each exchange can transmit 64kb data. If a hacker tries enough times, he could extract extremely sensitive information from the server with repetitive hits. That would be a clean crime leaving no traces.

Solution

Changing your password would not help you here. The only way is by replacing your buggy version of the OpenSSL library with the updated patch.
Labels:

Comments

Post a Comment

Popular posts from this blog

Function Declaration [ function functionName() {} ] vs. Function Expression [ var functionName = function() {} ]

I had previously thought  function functionName () {}  was syntactic sugar for  var  functionName =  function   ()   {} . There are some subtle differences in both which I am listing below :- 1) Function Declaration can be placed anywhere in the code. Even if it is invoked before the definition appears in code, it gets executed as function declaration is committed to memory or in a way it is hoisted up, before any other code in the page starts execution. Take a look at the function below: function outerFunction () { function foo () { return 1 ; } return foo (); function foo () { return 2 ; } } alert ( outerFunction ()); //displays 2 This is because, during execution, it looks like:- function foo () { // first function declaration is moved to top return 1 ; } function foo () { // second function declaration is moved to top return 2 ; } function out...
Post a Comment
Read more