By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechgoonduTechgoonduTechgoondu
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Search
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Reading: Stemming the heartbleed
Share
Font ResizerAa
TechgoonduTechgoondu
Font ResizerAa
  • Audio-visual
  • Enterprise
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
  • PC
  • Telecom
Search
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Follow US
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Techgoondu > Blog > Enterprise > Stemming the heartbleed
EnterpriseInternetSoftware

Stemming the heartbleed

Techgoondu
Last updated: July 28, 2014 at 4:10 AM
Techgoondu
Published: April 13, 2014
5 Min Read

The Internet community got a wake-up call last week when news emerged that a bug in a piece of encryption software had been lurking in cyberspace for two years.

Announced last Tuesday, the bug, known as Heartbleed, lets hackers obtain user names, passwords and even encryption keys from websites that use OpenSSL, an open source software used to secure a majority of online communications.

As Heartbleed has stayed undetected until now, it is possible that the bug could have already been exploited to fish for data from websites that use OpenSSL.

Bloomberg reported last Friday that the U.S. National Security Agency (NSA) knew about the Heartbleed bug and regularly used it to gather critical intelligence, an allegation that the NSA has denied.

In any case, there is no way of knowing if the bug has been exploited, as Heartbleed leaves no traces.

From a technical perspective, the Heartbleed vulnerability is a missing “bounds check” error, a type of mistake that is common and easy to make with the C programming language used to develop OpenSSL.

So how is this a problem? When you are at a secure server of, say, an online banking website, you will see a green padlock in your browser’s address bar, indicating that your connection is secure.

To check that the server end of the connection is still there, your browser would normally state the amount of “heartbeat” data that it would send to the server, and send that amount of data over.

The server would then return that same data, keeping the connection “alive”.

With the Heartbleed bug, the server would not perform a “bounce check” to verify that the actual amount of data it received from the browser matches the stated amount.

So, a hacker behind a Web browser could potentially send less data than what was stated, forcing the server to retrieve additional data from the server’s working memory – which could contain passwords and encryption keys – to make up for the difference.

With OpenSSL being used widely to secure much of Internet communications, some people have questioned if it is wise to leave its development to a core team of open source developers. OpenSSL is developed by four people, and only one of them counts it as his full-time job.

However, the beauty of open source comes from the fact that anyone, including tech companies and governments, can take part in the development or fund the efforts.

“Some argue that open source is safer, because the more eyes review the code, the less vulnerabilities there will be”, says Sami Petäjäsoja, Asia-Pacific vice president at Codenomicon, the security firm that discovered the bug, along with engineers at Google.

“Open source makes it possible for any user to do their due diligence before deployment, including security testing and code review. If something is discovered and the software is fixed, it will help the whole community in the long run, as is the case with Heartbleed. In a closed source, similar vulnerabilities can stay hidden and only be known to malicious actors,” he adds.

The bigger question is this: when should severe vulnerabilities like Heartbleed be made public? Should big Internet companies get the heads-up before others?

While content distribution networks such as Akamai, which secures and hosts a large portion of the Internet’s content, were notified before everyone else, others like Yahoo, Amazon and some governments were caught off-guard.

The Canadian government, for example, has shut down public access to some of its websites which may be affected by Heartbleed.

To be sure, there are no roadmaps to follow in the disclosure of software flaws. It is often a judgment call for developers to make.

Announcing a loophole like Heartbleed publicly before it is plugged on a majority of websites will be catastrophic. Disclosing it privately to some organisations and not others will leave the uninformed out in the cold.

With much of the global economy dependent on the Internet, a more egalitarian way of managing and disclosing security threats that plague critical parts of the Internet’s infrastructure is crucial, before malicious hackers have time to act.

To stem any bleeding, the Internet’s blood needs to clot a lot faster.

HPE builds computer for Big Data era
Huawei Vision and Honor join low-cost Android family
Tightening the use of NRIC in Singapore is a step in the right direction
5G is attractive but security issues loom large, say experts
Grab expands with new grocery delivery service, amid regulatory scrutiny

Sign up for the TG newsletter

Never miss anything again. Get the latest news and analysis in your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Whatsapp Whatsapp LinkedIn Copy Link Print
Previous Article Goondu review: Microsoft Surface 2
Next Article Hands On: Asus Zenfone
Leave a Comment

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

FacebookLike
XFollow

Latest News

Thermomix TM7: A German kitchen helper that cooks Singapore chilli crab
Internet
July 11, 2025
Grab goes driverless with electric shuttle trial for employees in Singapore
Enterprise
July 10, 2025
Samsung slims down Galaxy Z Fold 7, packs in 200MP camera in major upgrade
Cellphones Mobile
July 9, 2025
Singapore expands AI assurance pilot to test AI agents, detect prompt injections
Enterprise Software
July 7, 2025

Techgoondu.com is published by Goondu Media Pte Ltd, a company registered and based in Singapore.

.

Started in June 2008 by technology journalists and ex-journalists in Singapore who share a common love for all things geeky and digital, the site now includes segments on personal computing, enterprise IT and Internet culture.

banner banner
Everyday DIY
PC needs fixing? Get your hands on with the latest tech tips
READ ON
banner banner
Leaders Q&A
What tomorrow looks like to those at the leading edge today
FIND OUT
banner banner
Advertise with us
Discover unique access and impact with TG custom content
SHOW ME

 

 

POWERED BY READYSPACE
The Techgoondu website is powered by and managed by Readyspace Web Hosting.

TechgoonduTechgoondu
© 2024 Goondu Media Pte Ltd. All Rights Reserved | Privacy | Terms of Use | Advertise | About Us | Contact
Follow Us!
Never miss anything again. Get the latest news and analysis in your inbox.

Zero spam, Unsubscribe at any time.
 

Loading Comments...
 

    Welcome Back!

    Sign in to your account

    Username or Email Address
    Password

    Lost your password?