Lately there has been a buzz of fear and confusion surrounding the recently identified security vulnerability CVE-2014-0160, fancifully named “Heartbleed”. At the time of its discovery, Heartbleed affected some 15% of internet servers. Let me start by saying that Diigo’s servers are not now, nor have they ever been, affected by the vulnerability, and Diigo users need not worry that Diigo has allowed attackers to gain access to their personal information. However, many people use the same password for several sites. If you have received notice that you should change your password for one of the sites that you use, and you happen to use the same password for Diigo, you should change your Diigo password as well.
Heartbleed is a bug found in OpenSSL, a widely used piece of software meant for encryption and secure transportation of information on the internet. More specifically, Heartbleed is a bug in an optional part of OpenSSL known as “TLS/DTLS heartbeat extension”, hence the witty name of the bug. The heartbeat extension allows users of secure connections to detect whether the connection has been lost.
Let’s imagine a secure connection as a phone call. You are talking to a friend, and your friend is in a loud area. When your friend enters a quiet library while you are speaking to him/her, you might think the connection was lost, so you ask “Are you still there?” Your friend replies so you realize you don’t need to hang up and call again. The heartbeat extension allows for a similar behavior in secure connections. One computer ‘says’ to the other “If you’re still there, say the 3-letter word ‘yes’.” The other computer responds with “yes” and the connection continues.
The Heartbleed vulnerability allows one computer to lie about the length of the word “yes”, by claiming it has more than 3 letters. The first computer asks for the 1000-letter word “yes”. The second computer responds with the first 1000 letters in recent memory– “yes and-the-previous-nine-hundred-ninety-seven-letters-I-was-working-with”.
To tie back in with the phone call analogy let’s suppose your friend calls to confess all their secrets to you while he/she is drunk. The next day, someone using your friend’s number who sounds remarkably like your friend calls you and says, “I think I told you more than I meant to last night, what all did I say?” If you tell the imposter the secrets your friend told you, then you have a bug similar to Heartbleed.
When Heartbleed was identified, Diigo was using OpenSSL version 1.0.1e. Experts will note that this is one of the versions made vulnerable by the heartbleed bug, however, because we disabled the heartbeat extension, Diigo was not susceptible. We have now updated to the newest version, OpenSSL 1.0.1g, in which the heartbleed bug has been fixed.