Thursday, April 10, 2014

OpenSSL HeartBleed: Not a Computer Virus

Yes, I'm reusing this graphic again. Because it's awesome.
I've heard this question come up a couple of times in different forms, "Is Heartbleed a computer virus?" "Is my computer vulnerable to Heartbleed?"



This is often a difficult concept to grasp, which is actually a tribute to how well the internet works most of the time. The internet is meant to feel like there are only two people involved in communication: You and the person (or website) you communicate with.

In reality, there could be any number of participants in the communication getting your communication from you to the recipient. You communicate with your internet provider, who communicates with another provider, who sends the information to the website you want to talk to. The website responds along the same chain.

Any piece of this chain can come under attack. Your computer could be attacked, your information could be stolen as it moves through this chain, the website you're going to could come under attack.

OpenSSL is a technology used to encrypt traffic between your device and the website you're visiting (Encryption is a good idea because you're passing your information to any number of unknown entities to get it to where it's going. Encrypting it means that only you or the intended recipient can read the information).

So this is not a virus, it's a flaw in a communication protocol. Like leaving an envelope unsealed when you put it in the mail. In some ways, that's actually worse than a virus. Anything running OpenSSL with the Heartbeat extension is vulnerable. While this isn't technically a virus, there are some scenarios where your computer could be attacked. The best course of action is to quickly apply any patch that becomes available for software you use.

NOTE: I say "some scenarios" because the likelihood of someone getting valuable information out of your computer using this, while possible, is low. Webservers that could have dozens or hundreds of people's data going through them are much more attractive targets.