Recently it was discovered that OpenSSL contained a pretty massive security hole that allowed simple TLS clients to retrieve plain text information from a TLS-protected server using the TLS Heartbeat. The advisory is CVE-2014-0160. This has to be one of the most dangerous security vulnerabilities to hit the Internet in a decade. More information can be found at https://heartbleed.com/ (ironically enough, using a self-signed certificate as of this writing).
I don't wish to cover all the extensive details of this vulnerability. They are large and high in number. However, I do want to address it from the point of passwords, which is something I can handle on this blog. First, let's review the heartbleed vulnerability:
- FACT: This vulnerability was introduced into OpenSSL on December 31, 2011.
- FACT: This vulnerability was fixed on April 5, 2014.
- FACT: Without the TLS heartbeat bounds check, data is leaked in 64KB chunks.
- FACT: A TLS client can expose the server's SSL private key, to decrypt future communication, without any special hardware or software.
- FACT: This is not a man-in-the-middle (MITM) attack.
- FACT: Armed, an attacker can reveal usernames and passwords without anyone knowing.
To demonstrate this, here is a post by Ronald Prins on Twitter:
We were able to scrape a Yahoo username & password via the Heartbleed bug. Censored example in our blog:http://t.co/iBPqitjAFa
— Ronald Prins (@cryptoron) April 8, 2014
He demonstrates it on his blog, showing a censored example. What does this mean? This means that if you logged into a server, using SSL during the past two years, your username and password could already be compromised. This includes your email acount, your bank account, or social media accounts, and any others. Of course, if the service takes advantage of two-factor authentication, then that specific account is likely safe. However, if you share passwords between accounts, additional accounts may not be.
I really wish I was joking.
My advice? Time to change passwords to accounts you think you may have used over the past two years. But, before you do so, you need to know if the service is protected against Heartbleed. You can use http://possible.lv/tools/hb/ and http://filippo.io/Heartbleed/ as online Heartbleed testers before logging in with your account credentials.