Computers are used for nearly everything today, from entertainment to business, and even banking. Though convenient, this makes computers and the internet a prime target for fraud, and security paramount. Recently, however, there has been security exploit after security exploit, some of which need nothing more than typing in a website and clicking “Go!” A couple have even been known for years before being fixed. This creates debate whether computer security is in fact safe, or it is all a false hope.
One extremely common target is TLS. TLS, or Transport Layer Security, is the main protocol used in secure communication over the internet. All secure webpages are transferred using this protocol, or its predecessor SSL (Secure Sockets Layer), and “https” signals its usage. One main component is the public and private key encryption. In this setup, the private key can decrypt messages from the public key and the other way around, but cannot decrypt messages from itself; a private key can decrypt a public key message, but a private key cannot decrypt a private key message (Allen and et al. 12-13). Additionally, an optional extension to SSL/TLS called heartbeat is often used. It is enabled by default, cannot be easily turned off during operation, and works be repeating the message back to the sender; this is often used to see if a server is online and working.
In April of 2014, a major exploit of TLS utilizing the heartbeat was found. It was named Heartbleed for the fact that it “bled” data through the heartbeat. It worked by telling the server to repeat something, but giving the wrong size for it, similar to “send be the 6,000 letter word ‘cat’ if you are there.” The server then sent back the 6,000 letters, with the majority of them being old data from previous operations. Through this, personal identification of users, including names and passwords, and the private key, which would allow reading of any encrypted message sent previously and in the future until it is changed, could be acquired. However, the bug itself is simply human error, a missing bounds check; a check that the user does not ask for more data than he sent. It has been fixed, with new versions automatically ignoring the attack (Henson). Even so, this bug has affected and left vulnerable more than 17% of secure sites on the internet, including some popular sites like Twitter and some banks (Mutton).
Heartbleed is not the only attack though; many still exist, and some even continue to work, such as one called BEAST. Originally found in early 2002, it was not until 2011 for it to be publicly demonstrated. This attack is a man-in-the-middle attack, meaning is does not need to be part of the conversation, and works by cracking the beginning of an encrypted conversation and calculating the variables used in the process. Then, using the private values, it can simply decrypt the conversation itself (Duong and Rizzo). This is not a fast attack, sometimes needing over half of an hour to work,...