An introduction to The Heartbleed Vulnerability. Considered to be the worst horror of the internet age, this flaw and its discovery changed the way people thought about implementing Open source standards.
3. Letâs start with the internetâŚ
⢠A cheap and reliable method to interconnect
machines
4. Letâs start with the internetâŚ
⢠In turn provides a robust and âsmartâ layer of
communication, worldwide
5. Letâs start with the internetâŚ
⢠But to make this channel âsmartâ, we need to
follow some rules or protocols
6. How internet works....
⢠The Internet implements cryptography software
named OpenSSL to ensure delivery of messages
to legible receivers.
⢠Open Source
⢠Free
⢠Widely adopted and implemented
7. OpenSSL and Heartbeat Protocol
⢠The OpenSSL consists of a protocol named
Heartbeat
⢠Negotiates and monitors the availability of a
resource.
⢠Generates a signal that indicates normal
operation or to synchronize other parts of a
system.
8. ⢠Is the device on the other end up ?
⢠Is the device on the other end actually who it
declares it is ?
⢠Device could be a client or a server.
⢠Platform independent and device scale
independent.
Usage of Heartbeat Protocol
9. Practically.....
⢠Active login sessions
⢠Website security certifications
⢠E-Commerce
⢠E-Governance
⢠Internet Banking
⢠Social networking
11. How Heartbeat Protocol
Works...
⢠Continuous pinging between devices over
network.
⢠Successful reply ping from the other end
denotes that, that device is online.
⢠No ping back message indicates that the other
end is down.
⢠Both the devices ping each other and reply to
each othersâ Heartbeat request.
13. How Heartbeat Protocol
Works...
Device on the other end:
⢠Finds the Payload in its active memory
⢠Counts the number of characters to be sent
using Size
⢠Returns the text info
The first device is acknowledged that the other
end is online.
15. The Flaw...
⢠No bound check mechanism
⢠Inherent from the C language that this
software library is written in.
⢠Maliciously crafted Heartbeat request with
mismatching Payload and Size arguments
would still work.
16. The Flaw...
Heartbeat request with
⢠Small Payload argument
⢠Larger Size argument
Returns extra data from the active memory of
the replying device .
Provides unauthorised access to data which
should have been hidden and abstracted
18. Aftermath...
⢠Platform independence of OpenSSL makes
practically every machine on the internet
vulnerable to this flaw.
⢠Not a bug or a virus, but an inherent flaw.
Thus security breaches donât get logged or
detected, ever.
⢠This bleeding of confidential data can happen
to both sides â the servers as well as the
clients.
19. Aftermath...
⢠Only 64 kB of data can be sent back with a
Heartbeat reply. But has no limit on how many
times these 64kB chunks could be retrieved.
⢠Not only devices but even services can be
exploited.
20. What's worse...?
⢠Security certifications could be stolen,
allowing malicious impersonation of secure
services.
⢠Changing your username or password
credential doesnât help if the service is still not
patched up against the vulnerability.
⢠Since the breach never gets detected, one can
never know if they have been attacked or not.
21. What's worse...?
⢠The ones who updated got affected, thus
breaking the myth of general practice of
âkeeping it updatedâ.
⢠With a compromised security certification key,
one can easily decrypt previous information
transfers, without ever getting detected.
⢠More than 67 percent of servers on Earth use
OpenSSL, including Google, Facebook, Yahoo,
etc.
23. Tackling Heartbleed
Three primary approaches to remove this flaw:
⢠Implementing the updated version 1.0.1g of
OpenSSL which has patched this flaw.
⢠Removing the Heartbleed functionality
altogether by recompiling the source code
without the Heartbleed protocol.
⢠Implementing the patch by oneself by
correcting and re-compiling the source code.
24. Tackling Heartbleed
⢠Stolen security keys need to be revoked and
re-allocated.
Whatanend-usercando?
⢠Do nothing. Refrain from logging into services
until they are patched.
26. Lessons Learnt
⢠Open Source makes flaw discovery and
correction a faster process.
⢠Inclusion of new features needs more
scrutinisation.
⢠Open Source projects need to be funded well.
⢠Adoption of new piece of code should be
accompanied by negative testing of it.
27. Lessons Learnt
⢠You are never completely safe, even if you
follow the best practices.
⢠There are no âbest practicesâ.