Heartbleed: A Lesson on Security

I’ve been watching Computerphile videos on YouTube and saw one on the heart bleed bug, a massive breech in online security in 2014 caused by a negligent oversight in OpenSSL, a library used in the majority of websites. While this is not news, I found it an educational example. It is best explained with xkcd’s comic *important link*

Heartbleed exploited a vulnerability in the Heartbeat Protocol, a common way to ensure machines are connected. It allows computers to send and request that same information back to prove their is still a connection. The issue was that the sending computer was able to define the length of the payload incorrectly. If you sent a small message but said it was large the receiving computer would take your message and add on information that was previously in the memory there. A program could then be written to search through the received information for passwords, credit cards, and even security credentials.

A step was needed to ensure the user was honest in his declaration of payload length and was an easy fix, but distributing the updated software was a problem. Educating the public that they need to get updates for their servers is difficult when so many users. The wiki article on the subject says it was patched on April 7th, 2014 and on May 20th %1.5 of the 800,000 most popular sites were still unprotected. 

This compromise is so serious because it is impossible to tell how much information was compromised. This illustrates why programmers making widely used programs for sensitive information have to be very careful in their design and implementation.

I recently learned that major sites will offer “bug bounties” for people who detect and discreetly report bugs in their software. It would be an interesting way to make money if you were knowledgeable in the field. It wouldn’t be how much money they paid you, but the fact that a major company acknowledges and thanks you for helping them to improve (i.e. you found a way to get through their defense ethically).   

I hope this article has helped you gain a new perspective of the ubiquitous machines we use today. Below is a technical explanation of the code which inspired this article. I recommend checking that, and the other videos on their channel, if you are interested in scientific matters. Understanding this stuff will impress the important people to impress in academics.   

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s