Understanding the Heartbleed Bug

Posted by Chris Agri, Director of IT on 4/14/2014

TC Life Safety was not affected by the Heartbleed Bug

First things first: TC Life Safety's servers were not affected in any way by the Heartbleed bug. The vulnerability only affected servers running the OpenSSL cryptographic software library, typically on Linux and Unix servers. Our servers have never used the OpenSSL cryptographic library to secure the communications between your web browser and our servers.

This means that none of the information you've entrusted to TC Life Safety has been compromised, and when you see the lock in the address bar of your browser, you can be sure that any information you submit to us is strongly encrypted before it is sent over the internet.

At TC Life Safety, we take the security of the information you've entrusted us with very seriously. We use strong encryption to ensure communications between our customers and servers are scrambled so they are indecipherable when sent across the internet.

Additionally, TC Life Safety is proud to be a PCI compliant business. PCI compliance is an industry standard developed by the major credit card companies to ensure not only secure transmission of sensitive data, but a set of guidelines and requirements for securely handling that data. Our servers are audited quarterly for continued compliance, and each year we are re-certified after a more comprehensive audit.

You can read more about PCI compliance here.

What Is the Heartbleed Bug

In general terms, the Heartbleed Bug refers to a vulnerability in certain versions of the OpenSSL cryptographic library, which is a software library used on Unix and Linux servers to generate public/private keys. Public and private key pairs allow a web browser to verify the identify of the issuing server, and allows the server to decrypt information that has been submitted securely via the https protocol in your browser.

When a web browser visits a secure site (identified by a lock in the address bar), the encrypted private key on the server is compared to the public key the site has registered with a Certificate Authority (CA). This matching allows the browser to know that the site that is being visited is indeed the same site that registered the private key with the CA. This technique makes it difficult for bad-intentioned web sites to impersonate another valid web site in an attempt to steal information.

The Heartbleed Bug breaks this trust by leaking the private key from an affected server, allowing a hacker to decipher the encrypted (i.e. scrambled) data as it travels from the host (web browser) to the server. With access to this private key, it is trivial for a hacker to capture the data either as it's traveling across the internet, or from leaked memory on the server, and then decrypt it using the stolen key.

This comic from XKCD sums it up nicely.

Heartbleed explanation from XKCD

What You Need to Do

Undoubtedly you've received emails from sites such as Tumblr, Instagram and others encouraging you to change your account passwords due to the Heartbleed Bug. The web site Mashable has a good roundup of popular web sites and their vulnerability to the Heartbleed bug.

Some affected sites include:

  • Facebook
  • Instagram
  • Pinterest
  • Tumblr
  • Google
  • Yahoo
  • GoDaddy

Even if you don't fully understand why, you need to change the passwords of any sites listed as affected on the Mashable list. Why? Because if you're like most people, you use the same password for multiple web sites. Even if a site you visit wasn't affected by the Heartbleed Bug, by using the same password from an affected account on other web sites, that password is now compromised.

Which leads to our last point: don't re-use passwords. Download a password manager (such as LastPass) that will generate long, random passwords with a mix of upper and lowercase letters, numbers and symbols, remember it for you, and automatically fill in login-forms.

Be safe out there.

Add Comment