Support 100 years of independent journalism.

9 April 2014updated 09 Jun 2021 8:19am

The “Heartbleed” bug gives hackers access to all of your confidential info – how?

Web engineers are currently in panic mode as they try to repair the damage of a bug that has gone unnoticed for more than two years.

By Ian Steadman

There has been a major security bug discovered in one of the most popular mechanisms for keeping information confidential on the internet. The security company which discovered it, Codenomicon, is calling it “Heartbleed”, as it threatens such a vital, central part of how many websites work. It can give hackers access to all kinds of sensitive, confidential information – passwords, usernames, birth dates, anything – without leaving any trace of an attack.

To explain how it works, let’s first lay out how websites send private information to each other. When you’re reading the New Statesman website, for example, you’ve sent a request to the server the website’s on, and it, in turn, has fired back the digital bits that reconstruct themselves into the website on your screen. So far, so simple. But if you’re on a website where you’re logged in – everything from social media like Facebook to being logged into your Google account while searching for something online – there’s an added layer of privacy required to make sure that nothing can listen into the chatter between your computer and the server.

That layer can take the form of certificates, verified with cryptographic keys (just like the way that emails are encrypted, for example). You log in, the site verifies your login, and gives you a certificate that you then send along with your requests for each page you load so it knows that you are you. That’s why you only have to log in once per session. Each interaction between your computer and the server involves a swap of encrypted certificates, verifying that the data’s going to and from the same two end points every time. It’s a great way to stop hackers from sniffing in on a web traffic and hearing what’s being transmitted, as they won’t have the correct keys to decrypt it.

SSL and TSL protocols are the standard for encrypting and decrypting connections, with the open source OpenSSL being the most popular library of keys. What Codenomicon found was that – undiscovered since 2011 – there’s been a major flaw in OpenSSL’s library that effectively destroys its efficacy, and (as far as anyone can tell) nobody has noticed until now. Since OpenSSL is in use on roughly two-thirds of all sites, including major services like Yahoo, Tumblr, Twitter and Dropbox, a flaw this big affects millions upon millions of users.

What the Heartbleed bug does is let anyone ping a server and make it throw up information from its memory, in 64kb chunks. The data that leaks is completely random – it could be anything from among the server’s memory at that moment – and 64kb isn’t much, but there’s no encryption on it, and it can be done as many times as possible. Passwords, usernames, security keys used to encrypt databases, anything at all, drip by drip by drip, it can all bleed away.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. A weekly round-up of The New Statesman's climate, environment and sustainability content. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A weekly dig into the New Statesman’s archive of over 100 years of stellar and influential journalism, sent each Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Even if OpenSSL is patched for a website, there are all kinds of knock-on consequences that might be an issue down the road – for example, it’s probably not worth changing your password out of fear that it’s been stolen if the website you’re registered on hasn’t done the patch yet. It could just be stolen again. Even worse, the security keys used to verify the certificates for each user, meaning the site’s entire database could be compromised. We just don’t know the scale of how bad things are yet. In the words of cryptography expert Bruce Schneier it’s a “catastrophic” bug. “On the scale of 1 to 10, this is an 11.”

There are limited things that users can do right now. This site lets you check if OpenSSL has been patched on a site you’re trying to visit, so before changing any passwords it’s worth testing that, but it’s going to be a few days before most site managers get a grips on the problem. As Steve Lohr writes in the New York Times: “Wait a day or so. Then change the passwords on the web services you use. That is probably the best advice…”