For starters – this is meant to explain in simplest terms WHAT we’re dealing with and WHY it happened, and HOW to fix it. This is not technojargon, and the explanations and examples used are of the most stripped down, basic, “get the point across” type.
What’s the “Heartbleed” problem?
Its a bug, or flaw, in OpenSSL that can expose your password or information on your machine to someone between you and the website you’re visiting.
So what is OpenSSL?
OpenSSL is an encryption (scrambling) service that takes private information like passwords and jumbles them up into a long series of random letters and numbers, and then unscrambles that string of randomness on the server side so you can login.
And that works how?
OpenSSL sends pings (little messages) from the server back to your machine every so often, just checking to see if you’re still doing anything. Click on a link, and it knows you’re doing something. Let’s start with a basic example. Have you ever been logged in on your bank’s website, and run to the kitchen to get your debit card, you stop for a snack, then come back 5 minutes later and it says “You have been logged out due to inactivity”? Well, that means OpenSSL didn’t get a message back that you were doing anything, so they log you out to help prevent accidental “bad banking stuff” by your kids who want to watch Minecraft videos on Youtube.
Wait, whats Minecraft? I’ve heard of that!
Its just a game that kids inexplicitly love, it doesn’t have anything to do with this problem.
Okay, so back to Heartbleed? What’s the problem?
Well, those little messages that get sent from the server to your machine, imagine they say “Hey, are you still doing stuff? If so send me this message back,” along with how long the message is. When you do something, it sends a message back that says “Hey, are you still doing stuff? If so, send me this message back. Yes I am.” Your machine responds with what they asked and the answer, and how long the entire message is. The length of the messages are important, because they tell OpenSSL where to start and stop looking for responses to its own questions.
Basic example from above:
Server: Hey, are you still doing stuff? If so send me this message back 13
You: Hey, are you still doing stuff? If so send me this message back Yes I am 16
If the server sends 13 words, and you send back its 13, plus the 3 from your response, then it knows to start reading at 13 and to read the next 3.
This is a way of preventing attacks, because if a hacker doesn’t know the question, he can’t answer it pretending to be you, and he doesn’t know how long your answer was.
Got it, so how’d that break?
The problem that was found, is that OpenSSL doesn’t have a way of knowing if one side of the conversation lied about how long the messages are. If a hacker has written a bug, and you’ve logged into ABC Bank, and he knows you logged in there, he can send your computer a message that lies about how long its message and answer is, all while pretending to be the bank. So, a hacker asks “Hey, are you still doing stuff? If so send me this message back 500” Well, 500 is way more than our original 13.
When this happens, your computer’s memory keeps reading his message well beyond what it should have been. It thinks somewhere in its memory is another 487 words that it needs to send back. When it starts doing that, it starts sending back other information that is presently in your memory – maybe other open tabs in your web browser, or what you’re doing in Photoshop, possibly other OpenSSL related passwords – just whatever you’re working on or have been recently doing.
Um… so what now?
Well, the good folks at Mashable have put together a great list of websites that are and aren’t affected and if you should change your passwords for them or not. Start by checking that out here – http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
That will take a while, I use Facebook, but a lot of the sites not hit by this too. Do I just need to update my Facebook password?
Well, It’s advised that just because Bank of America isn’t on the list of sites that was affected, if you’re a Facebook user you should update that password as well. Hey, better safe than sorry!
Update: By Thursday morning, all of Fuel Interactive’s servers, and by extension our client’s sites, have been remedied with the updated patches.