How Did Heartbleed Put the Whole Internet in Danger?

A tiny bug has the Web community terrified.

{{ BIZOBJ (video: 4883) }}

Dear Internet user, by now you've probably heard about the Heartbleed bug. Hopefully you've already changed your passwords. You're probably wondering how a tiny flaw came to put the whole Web at risk. Here's what happened.

Much of the Internet relies on free, volunteer-created code. In this case, the bug was found in an encryption library called OpenSSL, a project run by four people who work on it part-time. The 15-year-old software is nearly ubiquitous, securing about two-thirds of encrypted Internet connections.

To put it in simpler terms, something like half a million websites use code created by OpenSSL for their encryptions. You may have heard of a few: Google, Yahoo, OKCupid, Instagram, and TurboTax are among the sites affected.

So what caused the problem? Well, connected systems like to communicate periodically to make sure their counterparts are still online. This is known as a heartbeat, something like the pulsing beats sent out by monitors in hospital rooms.

A heartbeat consists of two things: 1) a tiny amount of information, and 2) a number denoting just how much information is sent. One computer will send random data, say 16 kilobytes worth, and tell the other just what it should expect to receive.

The receiving computer will respond, acknowledging the number and sending the received data right back. This is how both computers know the other is still around.

This is where the problem comes in. In OpenSSL, the receiving computer looks only at the number, not the actual amount of data. When it responds, the data it returns matches the number affixed to the original message.

This wouldn't normally be a problem, since heartbeats automatically match the number with the data being sent. But if a hacker manipulated a heartbeat to send a false number, it could cause trouble.

For instance, if a hacker sent a heartbeat consisting of 16 kilobytes of data, but told the receiving computer it was sending 32, the computer would send 32 right back. It would make up the difference by grabbing random bits of data from its own memory.

That data could include passwords, credit cards numbers and all kinds of sensitive information. Of course, it's unlikely those are the things your computer would randomly select, but over time — as heartbeats repeat over and over — hackers could potentially pile up troves of information, which they could then search for patterns to identify exploitable material.

No one really knows if hackers were aware of the Heartbleed flaw. It's been around for two years, so if malicious operators recognized the bug a while ago, nearly everyone's online presence could be at risk.

On the other hand, if the engineers who discovered it were the first to be aware of its presence, you might be in the clear.