Heartbleed bugHow the Heartbleed bug reveals a flaw in online security
The Heartbleed bug – which infects an extremely widespread piece of software called OpenSSL — has potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used. The Heartbleed bug represents a massive failure of risk analysis. OpenSSL’s design prioritizes performance over security, which probably no longer makes sense. But the bigger failure in risk analysis lies with the organizations which use OpenSSL and other software like it. A huge array of businesses, including very large IT businesses with the resources to act, did not take any steps in advance to mitigate the losses. They could have chosen to fund a replacement using more secure technologies, and they could have chosen to fund better auditing and testing of OpenSSL so that bugs such as this are caught before deployment. They didn’t do either, so they — and now we — wear the consequences, which likely far exceed the costs of mitigation.
The Heartbleed bug that’s potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used.
The bug is in an extremely widespread piece of software called OpenSSL. OpenSSL allows programmers to write systems that send sensitive data such as financial or medical information over the Internet, with confidence that anybody “listening in” will only get indecipherable gibberish.
It also provides a way to prove that a message came from a particular organization’s computer, so that you can be confident you’re sending your credit card details to Amazon or Apple rather than a criminal.
How was OpenSSL developed?
OpenSSL is not the only tool that provides these facilities, but it is by far the most common, due to its free availability and long history.
OpenSSL dates from the late 1990s, and like many other crucial pieces of Internet software, is developed by a loosely-organized global bunch of hobbyists, students and volunteers.
It is made available as open source software for anyone to use for free on very liberal terms. Most of the world’s Internet servers — and every Android smartphone — use a great deal of software developed in this manner, though many such developer teams include paid professionals from companies who use the software.
The Heartbleed bug
On New Year’s Eve 2011, German researcher and OpenSSL contributor Robin Seggelmann added code implementing a new feature called “heartbeats.”
The idea was straightforward: if a connection between two computers stays silent for too long, it is disconnected, so periodic “heartbeat” messages can keep the connection going.
As well as a simple “I’m here,” messages contain an arbitrary “payload” which is sent back and forth, a little like this:
Computer 1: “Hi, I’m still here, the payload is 5 characters long and is ‘12345’.”
Computer 2: “Hi, great, you’re still there, and your payload was 5 characters long and was ‘12345’.”
Unfortunately, Seggelmann’s code didn’t check that the payload was of the indicated length, so a malicious request could request more data than was in the payload:
Computer 1: “Hi, I’m still here, the payload is 50,000 characters long and is ‘12345’.”
Computer 2 would then send back a message with a payload of the requested length, the first characters of which would be the 12345 sent. The rest would be whatever happened to be in the computer’s memory next to the payload.