Heartbleed. What it Is, What it Means and Why You Should Care

heartbleedAs you may have heard over the past few days, a new security vulnerability was discovered that could give a hacker access to private information on a remote web server.

More specifically known as the OpenSSL Bug or Heartbleed Bug, it relates a specific piece of security software used by millions of websites throughout the world to encrypt data traveling from the users browser to the server.

A quick Primer on SSL

Secure Sockets Layer (SSL) is a standard security technology that is used to establish a secure connection between a web server and a web browser.  This secure connection ensures that all data passing between the web server and the browser remain private.

SSL is used throughout the web to help protect consumers in eCommerce transactions, online banking sessions, and more.  Internet users have come to associate SSL with the padlock icon that appears next to the address bar in their browser.  When the address or URL changes from HTTP to HTTPS, it signifies that a secure connection is being made and the data is being encrypted from the browser to the web server and vice versa.

Although all browsers have the ability to connect via HTTPS to a web server, an SSL certificate is required to be able to establish a secure connection.  SSL certificates have a essentially two keys: 1) a private key and 2) a public key.  The keys work together to create a unique and secure connection between the web server and each individual user.  A certificate also helps to eliminate man-in-the-middle attacks by helping to prove the identify of the website owner.

So what is Heartbleed?

Certain versions of OpenSSL cryptographic software library contains a weakness that allows a user to obtain information from a web server that would, under normal conditions, be protected.  A bug in the OpenSSL implementation of the heartbeat extension left it open to “leaking” the contents of what was being stored in memory, hence the name “Heartbleed.”

In essence, it allows anyone on the internet “with the right knowledge” to read the memory of a remote system.  This includes the secret keys used to encrypt data traffic between the web server and individual users and could include information such as user names, passwords, credit card numbers, social security numbers, etc.   By allowing malicious users to eavesdrop on these data transmissions, they could, conceivably, use those credentials on remote sites for nefarious purposes.

How is Sendside Affected?

Fortunately, Sendside does not use the version of OpenSSL that contributed to this vulnerability.

Does that Mean I’m Free and Clear?

Not necessarily.  Many users reuse the same User IDs and Passwords across multiple sites.  It’s always a best practice to never reuse passwords across different sites for this reason.  In addition, the use of a strong, unique password is a simple and effective technique to keep your account and information secure.  For more information on creating strong passwords, please review Eric Griffith’s Post entitled “Password Protection: How to Create Strong Passwords.”