Stealing a site’s crypto key is a significant victory for a hacker or another individual or agency intent on spying on a user. It allows them to see the traffic passing between the user and the server as if it was not encrypted at all, and that means being able to steal credentials, passwords and other data as it flows through. Even worse, that hacker or spy could go back and decrypt data that they had intercepted from the server before. With the server’s private crypto key, in fact, that hacker or spy could see any data passing to or from the server.
Rubin Xu gives a very detailed description on ArsTechnica of how he managed to get the crypto key from a compromised server (http://arstechnica.com/security/2014/04/how-i-used-heartbleed-to-steal-a-sites-private-crypto-key/). If you want a broad understanding of how it works, however, here are the basics.
What Happens During the Attack?
OpenSSL Betas 1.01 and 1.02 were affected by this bug. When a computer hooks up over a secure SSL/TLS connection, that connection is kept alive in these implementations by a heartbeat request. This is an exchange of data that allows the server and the computer to verify that they’re both there, essentially.
A malicious attacker sends a heartbeat request, but puts in false information about the size of that request. The actual request might only be 1 byte, for instance, but they might declare to the server that it’s much larger.
The server stores that information in memory. When it sends back a heartbeat request, it uses the information it had in memory. While it might think that the bytes included in the original request numbered, just for example, 64,000 in total, there was only 1. OpenSSL pulls information out of its memory, filling the request to the declared size and, in doing so, may actually send back the crypto key, which could be deciphered by the hacker.
This is vastly simplified, but it’s essentially how the attack works. The attacker merely tricks the OpenSSL into sending its own private crypto key and then uses that key to decipher any other information taken from the server.
How to Prevent This?
This was a software bug, which means that Heartbleed was literally written into the code of OpenSSL. This wasn’t a virus or another type of hack that introduced software onto the servers.
Most companies that use OpenSSL, including VPN companies, have patched their servers if they were affected by this bug. Not all of them were affected. To avoid being a victim of this attack yourself, make sure you change your password on any secure site you use. It may not have been affected, but it’s always better to be safe.
One Other Method
You can also get your own private crypto key. As Golden Frog writes about on their blog, the owner of Lavabit, which provided secure email, shut down his service to avoid giving his crypto key to the government, which wanted to spy on one of his users. As Golden Frog recommends, it’s a good idea to ask any service provider you do business with to give you your own private crypto key. This will be one that the provider doesn’t maintain for you, which means that, if anyone asks they have nothing to turn over. The government would have to come to you, and you wouldn’t necessarily have to give it over on request, the exact situation depending.