On Monday, it was announced that OpenSSL, an incredibly popular encryption library (quite possibly the single most popular), contained a rather serious security bug named Heartbleed. This name refers to the TLS “heartbeat” that is abused in order to exploit the bug.
This bug basically allows anybody to obtain an arbitrary 64kb of an affected server’s memory. An attacker can do this as many times as they need to obtain more and larger secrets. Secrets like encryption keys.
While some end users can at least get a feel for how big of a problem this is, very few are aware of how it affects them, directly, and why. What exactly can an attacker do with a “secret” from a server that you use?
I’ll also explore an SSL feature designed to mitigate this sort of attack, how it helps here, how it doesn’t and which popular websites don’t use it. Continue reading