Heartbeat was introduced two years ago into Secure Sockets Layer (SSL) a security protocol used by about 17 percent of Internet sites. Heartbeat was intended to keep communication between two people open for a while after they had become inactive, while older versions of SSL would have shut it down immediately.
As such a widely used program, SSL is under scrutiny for coding errors and vulnerabilities. As a relatively minor feature of the larger system, though, Heartbeat was not so heavily monitored.
University of Idaho ITS Desktop Security Analyst Mitch Parks believes this was the reason a few lines of code, miswritten by human error, tore a hole in the SSL security system — also known as the Heartbleed bug — went unnoticed for more than two years.
According to Parks, Heartbleed is an oversight in the encryption software that makes activity on any server using SSL visible, making any sensitive information entered on those sites — including passwords, credit card information and social security number — vulnerable.
“Software is very complicated,” Parks said. “Lots of folks test it, and there are automated tools for testing those kinds of things, but other times, they don’t. This is a piece of software that is very intensely looked at, because it’s so important to the common Internet. I’m actually kind of surprised they didn’t detect it.”
While two years may seem like a long time, Parks said most servers probably weren’t vulnerable for that long — since they only became at risk once the latest version of SSL with the Heartbeat feature was downloaded.
That said, many sites, including Facebook, Google, Amazon, Netflix and many more were among the exposed sites. Large websites like these, Parks said, were notified of the bug before the public and had patches to fix the problem rolling out immediately.
University ITS staff didn’t find out about the bug until the public was notified on April 7. According to Parks, they began work almost immediately to find out how much Heartbleed affected university servers. Thankfully, he said, sites used by UI, including Blackboard Learn and VandalWeb, don’t use SSL and only about 100 people on campus were affected by Heartbleed — most of them faculty and staff.
Students should still take precautions against the bug, Parks said.
“No.1, use a different password for every site,” Parks said. “It’s a pain, but you don’t know how secure any given site is, and you want to ensure your accounts can’t be taken over elsewhere … everyone should take action to change their password on sites just in case.”
According to Parks, the Heartbleed bug is the most severe bug in the history of the Internet. While human error will always be present, and it’s hard to know what will come next, Parks hopes that this will act as a reminder that the Internet is still in its youth.
“This is a fairly simple bug to exploit,” he said. “A few lines of code and you can scrape memory off a server. So hopefully in the future, bugs will be complicated enough folks won’t take advantage of them … just in case, everyone should take action to change their passwords, and know how to change their passwords on every site. It’s a dangerous time to be on the Internet.”
Hannah Shirley can be reached at [email protected]