It feels like the Web has been under attack recently, as bugs with catchy names like POODLE, Shellshock and Heartbleed keep hitting the news. I’ll explain how these attacks actually work and what you should do to stay secure.
POODLE was disclosed in September 2014. It’s an attack on a very old and obsolete form of encryption known as SSL 3.0. Most Web servers and browsers use a newer encryption (called TLS), but many Web servers and browsers still support SSL 3.0. And Microsoft’s ancient, seemingly unkillable browser — Internet Explorer 6 — actually requires SSL 3.0.
We should have dropped SSL 3.0 long ago, but we didn’t (thanks, IE 6). Web browsers and servers automatically fall back to older encryption standards when they have to, and the attack involves abusing this backward compatibility by tricking a Web browser to connect to a Web server with the older SSL 3.0 encryption. Theoretically, the attacker can then break the ancient encryption and snoop on what you’re doing.
In the real world, this attack would happen when you use malicious public Wi-Fi hotspot or compromised Internet service provider. Someone would be able to abuse this vulnerability to — without your knowledge — force your browser to use a vulnerable connection. They could snoop on your online banking or shopping, capturing sensitive information.
The solution to this is to drop support for SSL 3.0 — something that should have happened a decade ago. Both Google and Mozilla are moving toward dropping SSL 3.0 support in upcoming versions of Chrome and Firefox. In the meantime, if you perform online banking or other sensitive activities on potentially vulnerable connections, you may want to disable SSL 3.0 yourself. And you’re in luck: this website has instructions for most browsers.
Shellshock was discovered in September 2014. It’s a bug in “bash,” a command-line shell environment used on many servers. It’s not an attack against your computer (unless you’re running Linux on your PC, in which case you’ll want to be sure you have the latest software updates. You should also check to make sure you have the latest software updates available for your router).
This vulnerability was particularly scary and sometimes called “worse than Heartbleed” because it would allow attackers to run any command they like on vulnerable Web servers, infecting them and taking them over.
There’s not much you can do about Shellshock. At this point, the services you commonly use should have patched their systems to defend against Shellshock. It was a scary way to break into a lot of servers that were designed to be secure and compromise them, but it’s someone else’s job to fix. (Again, though — make sure you have the latest software updates for your home router as well as any other network-connected devices, like network-attached storage devices. These may use the bash shell.)
Heartbleed was discovered in April 2014, and it pretty much started this non-stop scarefest. Essentially, Heartbleed is a bug in the OpenSSL software used by many Web servers to secure connections. The name comes from it being a bug in a “heartbeat” feature that leaks information. An attacker could send specially crafted packets using the “heartbeat” feature to check if the remote server was alive, and the server would respond not only with an acknowledgement that it’s running, but with some of the potentially sensitive data from its working memory. The attacker could keep asking the server for more data from its memory.
This data could contain your passwords on your online banking site, your credit card information on an online shopping site or your social security number on a tax-related website. All that sensitive data usually stored securely on the server was leaking.
To fix this vulnerability, Web servers had to patch their OpenSSL library. Users were advised to change all their passwords on websites — that’s where using a password manager like LastPass would help. In fact, LastPass even has a security check page that will tell you which of your accounts need to be updated with a new password due to Heartbleed.
Don’t Panic; Do This Instead
These are serious bugs, but don’t panic!
Heartbleed required a change of passwords, Shellshock just requires ensuring your router is updated and POODLE will soon be fixed by Web browsers themselves. If you’re impatient and worried, you can disable SSL 3.0 in the browsers you use today. That’s all you really need to do.