Heartbleed's impact on Internet, embedded security
However, the majority of publications in the last few weeks have focused on the security of consumer's usernames and passwords. It's also worth understanding how Heartbleed affects and informs us about security in embedded designs. But first, let's start at the details of the bug known as Heartbleed and its effect on Internet security.
OpenSSL, TLS, and encryption
There are many detailed explanations of Heartbleed available on the Internet. But let me briefly summarise:
Heartbleed is a code issue that is part of OpenSSL, a common open source library for doing secure communications using the SSL (secure socket layer) protocol. The newer versions of the SSL protocol go by the name TLS (transport layer security) instead. TLS can be used to add secure communication to a number of Internet services, but use of TLS with web servers is the most common. When used on a web server it creates a secure communication channel denoted by web addresses starting with "https://".
TLS for web servers provides two key features. First, TLS encrypts the communication channel between each web browser and the web server so that the communications cannot be read if intercepted. This protects all the traffic, but specifically protects sensitive information such as the username and password when a user logs in to a website.
Second, TLS also provides a way to prove and authenticate that the web server in question is the web server that was requested. This is done by the web server proving it possesses secret data (a private key) that corresponds with a publicly available identity (a certificate).
These two features are crucial to secure Internet communication and TLS for web servers. The actual means by which this security is accomplished is via complex math from the field of cryptography.
Details of heartbleed
The problem with Heartbleed is that it leaks relevant information through a coding bug in the OpenSSL library. This coding bug is sadly simple. A correct length check was not added to the code when a feature was added a couple of years ago.
Figure 1: How the TLS Heartbeat Extension functions in OpenSSL normally.
The feature was from a relatively new specification, known as the TLS Heartbeat Extension (figure 1), specified in RFC 6520. The TLS Heartbeat Extension was added to help keep TLS connections alive, when firewalls and other network devices might decide to time them out. While it is a worthwhile feature, introduction of this feature also introduced a bug.