Websites, emails, direct messages and other communications utilizing SSL/TLS encryption may be at risk due to a critical vulnerability – known as the Heartbleed Bug – that was discovered in widely used versions of the OpenSSL library.
The bug, which could even threaten payment card data, enables an attacker to immediately and surreptitiously steal the private cryptographic key of any secure server, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), told SCMagazine.com in a Tuesday email correspondence.
This means that if someone recorded encrypted communications with a service, even months or years ago, and used the Heartbleed Bug to steal the service’s keys, then that person could go back and decrypt what was unintelligible at the time, Schoen explained.
This would not be possible if the server was using Perfect Forward Secrecy, Schoen said.
For companies that have enabled Perfect Forward Secrecy, like Twitter, there is essentially no cryptographic master key and decryption becomes practically impossible, courtesy of a cryptographic key exchange known as Diffie-Hellman.
The flaw – officially referred to as CVE-2014-0160 – is appropriately named since it resides in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension, according to heartbleed.com, a website established by vulnerability management company Codenomicon. The site explains that OpenSSL 1.0.1 through 1.0.1f is vulnerable.
“Most versions of Linux and popular web servers, such as Apache and Nginx, are affected; as well as applications such as email services, VPN and chat applications,” Ken Westin, a security researcher with Tripwire, told SCMagazine.com in a Tuesday email correspondence.
Combined, Apache and Nginx account for more than 66 percent of the active website market share, according to an April 2014 Netcraft survey.
“It doesn’t stop there, however, many routers and embedded devices use OpenSSL and some of these will be much more difficult to patch,” Westin said. “It’s possible that some embedded devices can’t be patched at all.”
In order to mitigate this threat, Westin said that individuals should patch affected systems with OpenSSL 1.0.1g, revoke old key repairs, change passwords on systems, invalidate all session keys and cookies, and research potential data that may have been compromised.
A Google security researcher and a group of security engineers with Codenomicon independently discovered the Heartbleed Bug and reported it to the OpenSSL team, according to heartbleed.com, which adds that the bug was introduced in December 2011 and has been out in the wild since March 14, 2012.
In a Tuesday email correspondence, Mark Schloesser, a security researcher with Rapid7, told SCMagazine.com that this vulnerability opens up the doors to a whole slew of problems.
“A third party could have obtained these [private keys] and subsequently mounted man-in-the-middle attacks against clients, as they can impersonate the server,” Schloesser said. “In addition, the wide range of possible leaked data, such as log entries, database entries and credentials, could lead to other attack scenarios depending on the actual application that uses SSL.”