My Heart Bleeds (or, What’s Going On With Heartbleed)

One of the big news stories of the week has been “the Heartbleed bug“.  If you know a techie person, you might have noticed that person looking a bit more stressed and tired than usual since Monday (that was certainly true of me).  Some of the discussion might seem a bit confusing and/or scary; what’s worse, the non-tech press has started getting some of the details wrong and scare-mongering for readers.

So here’s my non-techie guide to what all the fuss is about.  If you’re a techie, this advice isn’t for you; chances are, you already know what you should be doing to help fix this.

(If you’re a techie and you don’t know, ask!  You might just need a little education on what needs to happen, and there’s nothing wrong with that, but you’ll be better off asking and possibly looking foolish than you will be if you get hacked.)

If you’re not inclined to read the whole thing, here are the important points:

  • Don’t panic!  There are reports of people cleaning out their bank accounts, cutting off their Internet service, buying new computers, etc.  If you’re thinking about doing anything drastic because you’re scared of Heartbleed, don’t.
  • You’ll probably need to change a lot of your passwords on various sites, but wait until each site you use tells you to.
  • This is mostly a problem for site servers, not PCs or phones or tablets.  Unless you’re doing something unusual (and you’d know if you were), you’re fine as long as you update your devices like you usually do.  (You do update your devices, right?)

So what happened?

There’s a notion called a “heartbeat signal”, where two computers talking to each other say “Hey, you there?” every so often. This is usually done by computer #1 sending some bit of data to computer #2, and computer #2 sending it back. In this particular situation, the two computers actually send both a bit of data and the length of that bit of data.

Some of you might be asking “so what happens if computer #1 sends a little bit of data, but lies and says the data is a lot longer than that?” In a perfect world, computer #2 would scold computer #1 for lying, and that’s what happens now with the bug fix. But before early this week, computer #2 would just trust computer #1 in one very specific case.

Now, computers use memory to keep track of stuff they’re working on, and they’re constantly asking for memory and then giving it back when they’re done, so it can be used by something else.  So, when you ask for memory, the bit of memory you get might have the results of what the program was doing just a moment ago–things like decrypting a credit card using a crypto key, or checking a password.

This isn’t normally a problem, since it’s the same program getting its own memory back.  But if it’s using this memory to keep track of these heartbeats, and it’s been tricked into thinking it needs to send back “the word HAT, which is 500 characters long“, then character 4 and following is likely to be memory used for something just a moment ago.

Most of that “recycled memory” would be undecipherable  junk. But credit cards, crypto keys, and passwords tend to be fairly easy to pick out, unfortunately.

And that, by the way, is where the name comes from: the heartbeat signal bleeds data, so “Heartbleed”.  There’s been some fascinating commentary on how well this bug has been marketed, by the way; hopefully, we in the techie community will learn something about how to explain problems like this for future incidents.

Does this affect every site?

No.  Only sites using certain newer versions of crypographic software called “OpenSSL” are affected by this.  OpenSSL is very popular; I’ve seen estimates that anywhere from a third to a half of all secure Internet sites use it.  But not all of those sites will have the bug, since it was only introduced in the last two years.

How do we know this?  OpenSSL is open source, and is developed “in public”.  Because of that, we know the exact moment when the bug was introduced, when it was released to the world, and when it was fixed.

(And, just for the record, it was an honest mistake.  Don’t go and slam on the poor guy who wrote the code with the bug.  It should have been caught by a number of different people, and none of them noticed it, so it’s a lot more complicated than “it’s his fault!  pitchforks and torches!”)

What should I do?

Nothing, yet.  Right now, this is mostly a techie problem.

Remember that bit about crypto keys?  That’s the part which puts the little lock icon next to the URL in your browser when you go to your bank’s Web site, or to Amazon to buy things, or whatever.  The crypto keys make sure that your conversation with your bank about your balance is just between you and your bank.

That’s also the part which is making techies the world over a little more stressed and tired.  You see, we know that the people who found the bug were “good guys” and helped to get the bug fixed, but we don’t know if any “bad guys” found the bug before this week.  And if a “bad guy” used the bug to extract crypto keys, they would still have those crypto keys, and could still use them even though the original bug is fixed.  That would mean that a “bad guy” could intercept your conversation with your bank / Amazon / whoever.

Since we don’t know, we have to do the safe thing, and assume that all our keys were in fact stolen,  That means we have to redo all our crypto keys.  That’s a lot of work.

And because your password is likely protected with those same crypto keys, if a “bad guy” has Amazon’s key, they’d be able to watch you change your password at Amazon.  Maybe they didn’t even have your old password, but now they have your new one.  Oops.  You’re now less secure than you were.

Now, it’s important to make sure we’re clear: we don’t know that this has happened.  There’s really no way of knowing, short of actually catching a “bad guy” in the act, and we haven’t caught anyone–yet.  So, this is a safety measure.

Thus, the best thing to do is: don’t panic.  Continue to live life as usual.  It might be prudent to put off doing some things for a few days, but I wouldn’t even worry so much about that.  If you pay your bills online, for example, don’t risk paying a bill late out of fear.  Remember: so far, we have no evidence yet that anyone’s actually doing anything malicious with this bug.

At some point, a lot of sites are going to post a notice that looks a lot like this:

We highly recommend our users change the password on their Linux Foundation ID—which is used for the logins on most Linux Foundation sites, including our community site, Linux.com—for your own security and as part of your own comprehensive effort to update and secure as many of your online credentials as you can.

(That’s the notice my employer posted once we had our site in order.)

That will be your cue that they’ve done the work to redo their crypto keys, and that it’s now safe to change your password.

A lot of sites will make statements saying, essentially, “we don’t have a problem”.  They’re probably right.  Don’t second-guess them; just exhale, slowly, and tick that site off your list of things to worry about.

Other sites might not say anything.  That’s the most worrying part, because it’s hard to tell if they’re OK or not.  If it’s an important site to you, the best course of action might be to just ask, or search on Google / Bing / DuckDuckGo / wherever for some kind of statement.

What about your site?

Yup, I use OpenSSL, and I was vulnerable.  But I’m the only person who actually logs in to anything on this site.  I’ve got the bugfix, but I’m still in the process of creating new keys.

Part of the problem is that everyone else is out there creating new keys at the same time, which creates a bit of a traffic jam.

So yeah, if you were thinking of posting your credit card number in a comment, and wanted to make sure you did it securely… well, don’t do that.  EVER.  And not because of Heartbleed.