By: Michael Diedrick on Apr 9, 2014
It’s another day, so there’s another worry in the world of web development (and servers in general) -- the Heartbleed vulnerability for OpenSSL. It’s a tiny ‘glitch in the mainframe’ that allows someone to read 64 kb of a server’s memory and unencrypt things that are sent through what we all understood to be secure, like your credit card numbers or your secure email. And while every minor bug gets security analysts and the press running around like a bunch of frantic muppets, this one will be a real problem if not addressed. Why? Because it’s not a single piece of software, it’s part of the foundation of secure communication, OpenSSL, the system that keeps the most secret of the secrets.
In case you’re wondering if your website / server is safe, there’s an easy test: http://filippo.io/Heartbleed/ -- which is impressive for the speed of which they came out with it, about a day, and that they open sourced it immediately and made it into the easiest interface possible. Historically bugs like this didn’t get this kind of community-based thoughtful attention. I hope this is a trend. Also, you can buy them a beer -- enough people asked to donate a litle, so they have links on their FAQ page .
If you’re on any of Byte’s servers, you’re patched and good, or it didn’t apply to your server’s architecture. Needless to say, we were on it. So-called ‘zero day’ vulnerabilities, ones that were there but almost nobody knew existed, give hackers great powers and don’t rely on good server admins to keep their servers safe, because there are no patches for zero-day vulnerabilities. But once they’re known, all the minor hackers in the world want to fill your site with spam links to their scammy affiliate accounts. So we pay a lot of attention to any new known ones.
What gets interesting to me is that this bug existed for years, and delivers the same capabilities that Edward Snowden’s revelations claimed that the NSA has had for years, turning the process of decrypting everyone’s communication from one that was supposed to exact high costs of time and processing power into something that was now trivial. So, did this patch one of the NSA’s big zero-day vulnerabilities?