Cue the hyperbole and clapping monkeys. Today brings news to the screens of security folks the world over that OpenSSL has an OMG ZERO DAY AUUGGGGGHHHHH…oh, wait, there’s a fix.
First off, what is the heartbleed bug? This bug, discovered by Neel Mehta from Google, is a weakness that is specific to the OpenSSL library. This is widely used software that is responsible for handling cryptographic functions. According to the researcher this could lead to theft of data in transit that would otherwise be secured from prying eyes. Which begs the question, has anyone slammed their fist onto the surveillance button yet?
Mehta wrote that he was able to "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication." Which I can safely say is fire bad.
"OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <email@example.com> and Bodo Moeller <firstname.lastname@example.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2."
This news of the OpenSSL vulnerability, charmingly entitled “heartbleed”, is bad. The cycles that spin out of this could result in some very interesting stories. The part that I would much rather focus on is that there is a fix. So get your patch on and as Akamai CSIRT Director Michael Smith said it best, "Keep calm and crypto on."
NB. In the interest of full disclosure, I work for Akamai. I should point out that our network is already fully patched.