PKard Reader & Heartbleed

Starting April 8, 2014, the Internet is buzzing with concerns and questions about the "Heartbleed Bug" and how it affects us. This article was written to help our customers understand what this vulnerability is and how it affects the users of PKard Reader.

What is the Heartbleed Bug?

Here's how heartbleed.com describes the bug:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Does PKard Reader use OpenSSL?

Yes.

Is the OpenSSL in PKard Reader vulnerable to the Heartbleed bug?

Yes. PKard Reader includes a version of OpenSSL that includes the Heartbleed bug.

I've read that private keys can be accessed by exploiting this bug. Can that happen with PKard Reader?

No. A user's private key is kept on their smart card (CAC/PIV). The private key can never be retrieved from the card.

I've read that username/password credentials can be accessed by exploiting this bug. Can that happen with PKard Reader?

If you use PKard Reader to access a password-protected site and then were duped into visiting a malicious site, the username and password may be retrievable. However, our users use smart cards for validation -- in that case, no username or password exists.

Is Thursby Software planning to make any changes based on information about this vulnerability?

While we think the possibility of abuse of our product is minimal (for the reasons given above), we're including an updated version of OpenSSL in our next PKard Reader release.

What can I do to minimize the possibility that I'm a target of this type of hack?

When you visit a site using PKard Reader, we attempt to verify all SSL certificates before continuing the SSL communication. If that verification fails, you'll see this error message:

When you see this error, make sure that the site is really something you wish to visit before clicking the "Continue" button. If you're unsure, click "Cancel".

Where can I learn about Heartbleed?

One of the most useful sites I've found about the Heartbleed bug is heartbleed.com.


Carl Ketterling
Director Customer Support

UPDATE:

On May 05, 2014, an update was provided for the PKard Reader app that corrects the Heartbleed Bug. If you're a PKard Reader user, please update to version 2.1.1.