Barkings! | The SmallDog Apple Blog

A blog about our business, our industry, and our lives. You'll find posts from everyone at Small Dog and if the dogs could blog, they'd be here too!

The internet may not actually be a series of tubes, but it still is a complex layering of protocols, software, hardware and people. One of those protocols that we rely on heavily is SSL/TLS (Secure Socket Layer/Transport Layer Security). This protocol is what allows your data to pass securely between your computer or device and the sites you visit. It does this by encrypting the data end-to-end.

For example, you might notice that’s shopping cart URL has an “https” at the beginning. This signals that you’re viewing a secured page. Any information you enter on forms will be transmitted encrypted. Credit card numbers, passwords, and everything else are all encrypted and safe. Any site that handles credit card information, or other sensitive customer information must be PCI compliant. Here at Small Dog Electronics, we go through compliance testing each month to verify that our servers and systems check out. When something like the Heartbleed bug comes along, we take it very seriously and have procedures in place to resolve it.

The bug works by exploiting a flaw in the way heartbeat messages are handled in OpenSSL. A heartbeat message is nothing more than a tiny message from a client to the server that says, “Hey server, even though I’m not sending encrypted data right now, I’m still here, so don’t close my secure connection.” It does this because closing and reopening the connection takes work, so it’s more efficient to leave it open. These heartbeat messages typically contain some payload data and an indication of how big the payload data is. So a message might be “Hey server, I’m still here” and the payload size might say 32 bytes. The server hears this message and responds by returning the payload data and payload size to the client.

In the exploitation of this transaction a malicious client would send a heartbeat message with a very small payload (say 10 bytes), but it would lie and say that the payload size was very large (50,000 bytes). When the server goes to respond by sending back the payload, it mistakenly grabs 50,000 bytes worth of data from its memory. This could include all kinds of data that this client should NOT know about. It could be anything the server was working on at that time: other client secure data, passwords, or even encryption keys. This is all very bad, so we want to stop it from happening.

Fortunately, the fix for the bug is fairly simple. Servers running OpenSSL need to upgrade their version. Because it’s possible that encryption keys and certificates could have been compromised, it’s advisable to also replace those keys and certificates. Here at Small Dog Electronics, we’ve done both of these things. We’ve also reset login sessions in case an old user login session was still active or compromised.

So what else should you know? OS X itself is not vulnerable to the bug. We use custom software versions and configurations on our servers to allow us to keep up with the latest bug fixes in a more timely manner, but in this case, it meant our version included the bug.

Because we’re lovers of security here, we suggest everyone update their Top Dog Club passwords just to be extra safe. Additionally, since OpenSSL is very common software used all across the web (somewhere around 60% at last estimation), we also suggest that people update passwords for accounts on other sites. As always, we recommend choosing good, strong passwords.

Please don’t hesitate to reach out to us on our blog, Twitter, or Facebook if you have any questions about our security, what we’ve done to patch the Heartbleed bug, or you’d like help updating your account passwords.

Previous Post:
Next Post: