The heartbleed bug is in the news these days. A few days ago when I first heard about this new bug on the NPR radio, I was really surprised that a bug like this could exist for more than two years without someone noticing or taking steps to fix it. The heartbleed bug affects all the popular sites that use the OpenSSL encryption for securing the data transfer between a user and the web server. When the bug first made to the news, all the major sites like Google, Yahoo, AOL etc., were affected, but they have quickly fixed the issue. Still there are thousands of websites still affected by the heartbleed bug.
So what is the Heartbleed Bug?
The heartbleed bug is a serious flaw that exists in the OpenSSL library which is used by web servers to encrypt the data transfers between users and websites. The OpenSSL library has an add-on called “heartbeat” which has a bug that leaves the data uploaded by the user in the server memory in the un-encrypted format without clearing it properly. This gives a chance for a potential hacker to bypass TLS encryption and download chunks of the data from the server directly. Since the data sent to encrypted secure connections (HTTPS) is usually the usernames and passwords, it puts all your login credentials at risk. Because the bug exists in the “heartbeat” extension, it is being called the “heartbleed” bug.
How to know if a website is affected by the Heartbleed Bug ?
Because the OpenSSL library is installed on a web server, therefore a common user’s local PC is not affected. But it makes it harder to find out which of the web servers are still using the vulnerable builds of the OpenSSL. Fortunately, a clever Italian man Filippo has put together a web app that makes it easy to check if a website is affected by the heartbleed bug.
In order to check if a site is affected by heartbleed, you can visit the Filippo.io website, enter the name of the target domain name (for example, google.com) and hit Enter on your keyboard. It will show the bug status for that site instantly.
There is also a Chrome extension called Chromebleed that can automatically warn you of heartbleed affected websites as you visit them. The extension is available from the Chrome webstore and after the installation, it shows a heartbleed icon in the Chrome toolbar. As you visit a website in Chrome, it checks for heartbleed vulnerability for that website using the Filippo.io web app. If the website is found to be affected, a notification message is shown in the lower-right corner of the screen.
Conclusion: The OpenSSL Heartbleed bug has existed for around two years. Many of the webservers using the vulnerable OpenSSL library are affected and all the sites hosted on those webservers are affected. There are also many desktop and mobile applications that make use of the OpenSSL library and they can also be affected as well. As webhost administrators and developers continue to fix the heartbleed bug in their servers and apps, you should quickly change the passwords for your online accounts to be on the safe side.