What is Heartbleed bug?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Why are some sites not affected by Heartbleed?
Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some Web sites use an earlier, unaffected version, and some didn't enable the "heartbeat" feature that was central to the vulnerability.
While it doesn't solve the problem, what mitigates the scope of the potential damage is the implementation of perfect forward secrecy, or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever. That means that if an attacker did get an encryption key out of a server's memory, the attacker wouldn't be able to decode all secure traffic from that server because keys use is very limited. While some tech giants, like Google and Facebook, have started to support PFS, not every company does.
How does the bug work?
The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also "cookie" data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site's private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.
0 comments:
Post a Comment