Monday, April 14, 2014

Best Explanation: The HeartBleed Bug

An EPJ reader sends this explanation of the HeartBleed bug:

An explanation of HeartBleed from a Software Developer in easy to understand language.
 
The Secure Sockets Layer (SSL) is a specification  used to protect sensitive data that passes from computer to computer on the internet. An internet user actually uses this technology all the time. When using google.com, one can use http:\\google.com, or https:\\google.com. The https:\\ signifies that the communication between you and your browser is secure and no one else can see what is being sent back and forth (another way one can tell that a site is  using it is by seeing a lock icon right beside the url of the website you visit). This specification doesn’t have a problem but a mistake has been found in an implementation. Open SSL’s implementation is actually open source which means source code is available for everyone in the world to read. This bug actually affects any web server that uses this Open SSL,  and according to Netcraft's April 2014 Web Server Survey, this is 66% of the web.

The type of bug that Heart Bleed is categorized as is called a buffer overflow, where more data is read from memory then what should have been. Buffer overflow bugs are  actually pretty common and have been around for more than 25 years. Software companies are constantly fixing buffer overflow bugs and they can be pretty easy to miss when reviewing code.

Here is an example of a Buffer overflow bug and what is going on. However, instead of using programming, in the example we are going to use text messages. Say I am going to send a text message to my friend Tom saying I got a new job. Then, right after I send a message to Tom, I to send a message to my wife to tell her what my new salary is in another text message.

Tom: How did it go ?
Me: I got the Job!

Wife: So what did you guys agree on as far as salary ?
Me: XX,XXX Great raise!

 But, after reading my wife's message forgetting to change the sender to my wife, I end up sending the second message to Tom as well

Me: I got the Job! ….. XX,XXX Great raise!

Thus, Tom now knows more about me than I wished he did. It’s the same thing with HeartBleed but its the computer not changing the sender. Only it gets a little more technical. In communication between your computer and a web server a value is requested and more is shared then just that value. What makes this bad is the extra information shared might be a password, a credit card number, or even being tax season …. your Social Security Number.


4 comments:

  1. I equate the heartbleed bug to being drunk and having no internal filter. When asked a question- you answer it. And if you get a "give me some more" look you just keep on talking.

    Or this:
    http://www.xkcd.com/1354/

    ReplyDelete
  2. At least he could have used the correct "/" instead of the DOS "\".
    The Internet is a descendant of the "UNIX" platform and the separators always have been and always will be "/".
    "JEESH!!"

    ReplyDelete
  3. While the description of the problem is, essentially correct, the problem is not a "buffer overflow"; it is a buffer over-read. A buffer overflow happens when data is written past the end of the area allocated for a buffer, trashing whatever happens to be beyond the end of the buffer (and sometimes allowing skilled hackers to replace that area with machine instructions).

    ReplyDelete
  4. This is why I will never use Bitcoin. As an unsophisticated non-computer layman, how can I ever be sure that some years after I acquire many bitcoin, someone will not tell me that there has been some technical coding problem causing the loss of all my money. At least with gold, or even paper money, I know how to hide them and can understand exactly how and why they can be lost or stolen.

    ReplyDelete