Dealing with Heartbleed: What You Need to Know

| Analysis

Heartbleed and Heartbeat? Give Me Some English, Please

First, a quick overview of heartbeat. In simple terms, it's a bit of code in OpenSSL that keeps your SSL/TLS sessions open with a server instead of timing out and forcing you to start over. SSL and TLS are protocols for the secure connections between your computer and servers that host websites and email.

Now, a little about heartbleed. There's a flaw in OpenSSL's heartbeat feature that hands over information stored in memory when it shouldn't. Hackers can send servers a heartbeat request that doesn't include as much data as it should, and the server responds by handing over random pieces of data stored in its memory, 64K at a time. Send enough malformed requests, and eventually you'll have enough data to put together the encryption keys the server uses for all of its encrypted communication.

Those encryption keys are essentially the keys to the kingdom. Hackers don't have to gain further access to the server to steal data; instead, they simply need to listen in on the data passing between users and the server, and then use the keys they stole to decrypt whatever is in the secure connection.

Comments

Bosco (Brad Hutchings)

It’s a good thing that Google’s known strategy of selling out their customers gave them the incentive to identify this problem!

gnasher729

Has anyone ever claimed that Google is selling out their customers? The problem is that end users are not Google’s customer, but the product.

Lee Dronick

How does iOS 7 deal with the certificates? Do we need to do anything on those devices to protect ourselves?

John Dingler, artist

Hi Jeff,
Safari user. Thanks.

John Dingler, artist

By the way, thanks for this clear step-by-step instruction. But I am sure that committed trespassers will figure out ways to skirt the roadblock to their shenanigans.

Paul Goodwin

Just for my education, in the vulnerable/not vulnerable site list, what does it mean when it says “No SSL”? It was obvious that it wasn’t vulnerable. Do they have their own encryption technology?

Macfox

Thanks Jeff for this update. I’m checking my browsers now. This is just one of the great reasons for TMO: you are all great!

wab95

Jeff:

Just wanted to say thank you for posting this excellent analysis of what heartbeat and Heartbleed are, are not, and what we can do about it. I’ve taken the liberty of sharing this page with a number of friends and family who’ve been sending me both articles on the phenomenon (some not so well informed or accurate) as well as requests for how to respond to it.

Knowledge is a powerful antidote to fear.

Bart B

Great article Jeff - it’s not at all easy to explain this stuff in a way that’s clear to regular folks, while still being accurate. The line between over simplification and information overload can be very hard to find, but I think this is pretty darn close to perfect smile

Log-in to comment