8 April 2014

Heartbleed bug (What is it? What happen ? Where find useful resources? )

WARNING! I am not expert in field.

Table of content:

  1. What is OpenSSL?
  2. What happen?
  3. Consequences 
  4. Interesting links and resources about heartbleed bug(If you want know more:  )
  5. My opinion

Everyday,we hear about new 'critical' bugs was found in project x,website y or OS Z.
Some of them are more or less scary.

Recently, folks from Google Security(Neel Mehta) found a  serious bug in OpenSSL, which exists for .. .2 years. Other folks Bodo Moeller and  Adam Langley created a fix for OpenSSL.

What is OpenSSL?

OpenSSL is a cryptographic software library. It is  an open-source implementation of the SSL and TLS protocols. these protocols are response for  communication security over the Internet. (from Wikipedia).

It is widely used library in software.
For example:
  • Apache and Nginx servers (Nearly 70% website uses this software!)
  • Heroku (Cloud Application Platform) 
  • WordPress (a free and open source blogging tool and a content management system) 
  • Multiple Cisco Products

  • Android 4.1.1 (Jelly Bean)

What happen?
Let's starts from official information.
OpenSSL Security Advisory  states :"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."OpenSSL  1.0.1 until -1 .0.1f versions are affected by this vulnerability . (from  https://www.openssl.org/news/secadv_20140407.txt)

If you have no clue what does means (like me) ,then I may explain consequences of problem:
"This bug allows anyone on the Internet to obtain  private keys ,secrets (to  identify the service providers and to encrypt the traffic), the names and passwords of the users and the actual content. " from http://heartbleed.com

Oh dear.

Is shortcut ... 
Huston,we have a problem. a BIG ONE. 
It means somebody can stole your digital valuables .It means DISASTER.

Sounds scary? Well,because it is!
Good news:

  • It is not end of the world.

Bad news:

  •  It will cause lots of troubles soon,but it will be fine.
  • First many pages will display certificates issues.
  • Some software will have emergency releases.

If you want know more:

If you want learn more  about heartbleed  bug then :

  • If you need all essential information about bug and what to do look here: 
  • Some technical information about bug(where is,how fix looks like and etc,) is :
  • To test are you affected  (for website owners or to check service where you store critical data),go here: 

My opinion:
Bugs happen and they will happen.
I feel sorry for guy(Dr. Stephen Henson)  who introduce bug in this git commit (git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504 . (Git is cruel !)
Many people go wild with criticising OpenSSL team for that bug.

BUT ...
OpenSSL is open-source.
It means:
  • It is everybody responsibility to take care about it.
  • if you believe that something is needed (for example: security audit ),DO IT and share result with OpenSSL community (too expensive? Use  croudfunding solution instead).

So people,stop blaming and bitching about it.It is useless and you waste your time.Use these time to improve OpenSSL instead. 

Another question is about  secure programming in C. Many people said that these days ,  secure programming in C is almost mission impossible and it should be rewritten  BUT ... atm. YOU must live with fact that OpenSSL is written in C.