Dealing with Heartbleed: What You Need to Know

| Analysis

A Little SSL/TLS Primer

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the tools that let servers take what would otherwise transmit over the internet as plain text and easy to read data into an encrypted jumble that's meaningless without the keys used to make it secure. Those keys are comprised of two parts: a public key and a private key. Together, they complete a digital signature that includes the information needed to turn the encrypted jumble back into usable data.

Anyone with the private key part of a SSL/TLS connection can decrypt what's passing through a secure connection because they have the part that tells them exactly how to read the encrypted data.

This isn't so much a problem at the user side because they have the public part of the encryption key; instead, it's an issue on the server side because of the code flaw in OpenSSL that can ultimately hand over the private encryption key.

Mac users had a bit of a security scare recently over an OS X iOS flaw related to SSL/TLS that wasn't server-related. In that case, a coding error would let your Mac, iPhone or iPad skip over verifying the encrypted connection. That flaw gave hackers the ability to set up their own fake servers that your computer assumed were legit so they could steal user data without ever involving the actual server or private encryption keys.

Apple patched that flaw in an operating system update, but it doesn't do anything to protect users from the threat that heartbleed poses because it's a server-side issue and not something your computer, tablet, or smartphone can detect regardless of which operating system it runs. In other words, it doesn't matter if you use a Mac, Windows PC, Linux, iPhone, or an Android smartphone.

Comments

Bosco (Brad Hutchings)

It’s a good thing that Google’s known strategy of selling out their customers gave them the incentive to identify this problem!

gnasher729

Has anyone ever claimed that Google is selling out their customers? The problem is that end users are not Google’s customer, but the product.

Lee Dronick

How does iOS 7 deal with the certificates? Do we need to do anything on those devices to protect ourselves?

John Dingler, artist

Hi Jeff,
Safari user. Thanks.

John Dingler, artist

By the way, thanks for this clear step-by-step instruction. But I am sure that committed trespassers will figure out ways to skirt the roadblock to their shenanigans.

Paul Goodwin

Just for my education, in the vulnerable/not vulnerable site list, what does it mean when it says “No SSL”? It was obvious that it wasn’t vulnerable. Do they have their own encryption technology?

Macfox

Thanks Jeff for this update. I’m checking my browsers now. This is just one of the great reasons for TMO: you are all great!

wab95

Jeff:

Just wanted to say thank you for posting this excellent analysis of what heartbeat and Heartbleed are, are not, and what we can do about it. I’ve taken the liberty of sharing this page with a number of friends and family who’ve been sending me both articles on the phenomenon (some not so well informed or accurate) as well as requests for how to respond to it.

Knowledge is a powerful antidote to fear.

Bart B

Great article Jeff - it’s not at all easy to explain this stuff in a way that’s clear to regular folks, while still being accurate. The line between over simplification and information overload can be very hard to find, but I think this is pretty darn close to perfect smile

Log-in to comment