What You Need to Know About the Heartbleed Bug

Heartbleed LogoIf you haven’t already heard, a major exploit in OpenSSL was discovered recently. The Heartbleed Bug, which is as scary as it sounds, allows an attacker to capture potentially sensitive information from a server’s memory by exploiting a flaw in the implementation of the heartbeat function of OpenSSL’s SSL/TLS implementation.

How it Works

SSL/TLS, the encryption protocol commonly used for securing traffic between web browsers and servers, has a feature called a “heartbeat.” Every now and then, an exchange like this happens between the client and the server:

Client: You still there? If so, send back “ALIVE,” which is five characters.

Server: ALIVE

If the heartbeat succeeds, the connection stays open. This keeps happening, over and over, with a different value being passed each time.

Now here’s what happens if someone exploits the Heartbleed bug:

Client: You still there? If so, send back “KITTEN,” which is 300 characters.

Server: KITTEN, and here’s a block of random memory from RAM!

In this manner, an attacker can get a random 64KB chunk of data from memory every time a heartbeat is sent, thanks to a lack of validation of the length parameter. (So an attacker can just repeatedly make attempts.) Eventually, they’d get lucky and find something interesting. Such as the SSL certificate or users’ passwords and data.

Exploiting this bug is trivial. (There were people posting scripts to test for the vulnerability minutes after it was announced. Just imagine how quickly malicious types got to work implementing exploits for the bug!) It’s also possible that someone knew about it months or even a couple years ago, and has been exploiting it ever since. Bloomberg even suggests that the NSA has known about it for two years, and has been exploiting it rather than disclosing the problem.

Is it Fixed?

Yes! Your Linux distro should already have patched builds in their package manager, so it’s just a simple manner of running a couple of commands to update your openssl and libssl1.0.0 packages, then restarting any services that depend on SSL. (Or just do a full reboot if you’re paranoid.) In the case of Ubuntu, you’d just do something like this to update the packages:

sudo apt-get update
sudo apt-get dist-upgrade

You should now revoke any SSL certificates and issue new ones, in case they were leaked in an exploit of the bug.

What Should I Do, as a User?

Change your passwords! For anything important—email, banking, etc.—you should consider picking a new password.

Automating Repetitive Text Editing with Vim Macros

Don’t you just hate it when you have to do some repetitive text editing, such as wrapping several lines of text in <li>...</li> tags or just about anything involving tables? (Actually, HTML is a veritable goldmine of repetition…) If you use vim, you can…

Ghost 0.4 Drops, Plugin API Slated for 0.5 Release

Version 0.4 of Ghost, the lightweight Node.js blogging platform, went live this month. Some of the more interesting features include support for static pages, a new way to quickly edit posts by appending /edit to the URL, support for date-based permalinks (e.g. /2014/01/25/example-post instead…

BlogBuzz January 25, 2014

Node.js the Right Way

Looking to quickly get started with Node.js without learning bad habits? Node.js the Right Way is a short and concise—100 pages—book that you can easily read in an afternoon (maybe two if you’re following along with the examples), promising a focused, tutorial-based experience. The…

Vim Tip: Sort Lines Alphabetically

Have a list that you need to alphabetize quickly? Vim has you covered. There’s a handy :sort command (:help sort for optional arguments) that will do just what it says on the box. All you have to do is select the lines in visual…

Illustrating Keyboard Shortcuts with the <kbd> Tag and a Bit of CSS

The HTML spec has long had a (much underutilized) tag called kbd, which is intended to be used for marking up user input. For example, you could write something like this: The browser (by default) renders the kbd tags in a monotype font, just…

Visualizing Directory Structures with the Tree Command

Sometimes good old ls just doesn’t cut it when you’re browsing directories from the command line. Sometimes you just need a more visual overview of the nested files and directories. Well, it turns out there’s a useful command for those cases, and it’s available…

List.js: Table and List Sorting in 5kb of JavaScript

List.js is a tiny (five kilobytes!) library that can add dynamic sorting, searching and pagination to HTML lists and tables. It requires no dependencies, and claims to be able to handle lists with “thousands of items.” It also includes a templating system that makes…

Take the Vim Challenge!

If you’re at all familiar with the Linux/Unix world, it’s safe to say you’ve probably heard of vim. The mode-based editor is famed for both its power and frustrating learning curve. Unlike most editors, which default to a mode where you can type text,…

Page 1 of 157123456Last »