Heartbleed bug renders OpenSSL vulnerable to attack (Video)
Posted by: Jon Ben-Mayor on 04/09/2014 02:47 AM
[
Comments
]
The 'safety' you presumed to have had while on the internet has only been an illusion - shattered by the Heartbleed bug, which is a serious vulnerability in the popular OpenSSL cryptographic software library.
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Gizmodo points out that fortunately not all versions of OpenSSL are vulnerable to this kind of exploit, and there's already a fixed version of it out there. But considering how long it was broken for, that's a cold comfort.
There's a long list of sites that used the offending package, but because the attacks leave no trace, there's no way of telling how many were actually attacked; you just have to assume they all were. And if you're a user of one of them, assume your credentials are now out in the wild.
yahoo.com
imgur.com
flickr.com
redtube.com
kickass.to
okcupid.com
steamcommunity.com
hidemyass.com
wettransfer.com
usmagazine.com
500px.com
And even once those sites have patched up the actual OpenSSL hole, the problem is far from solved. Sites also have to perform the internet equivalent of changing their cryptographic locks. Even then, any data that attackers may have managed to stash before then is still vulnerable, and it always will be.
As long as the vulnerable version of OpenSSL is in use it can be abused.
Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
According to Life Hacker, it is estimated that over 66% of the web uses OpenSSL, so a good portion of the web may be vulnerable. You can test certain sites using this tool, though it won't answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but check their respective blogs for any recent updates—and keep in mind they may have been vulnerable sometime in the past two years (Google and Facebook, for example, are not listed as currently vulnerable, but have yet to issue any official statements).
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Gizmodo points out that fortunately not all versions of OpenSSL are vulnerable to this kind of exploit, and there's already a fixed version of it out there. But considering how long it was broken for, that's a cold comfort.
There's a long list of sites that used the offending package, but because the attacks leave no trace, there's no way of telling how many were actually attacked; you just have to assume they all were. And if you're a user of one of them, assume your credentials are now out in the wild.
And even once those sites have patched up the actual OpenSSL hole, the problem is far from solved. Sites also have to perform the internet equivalent of changing their cryptographic locks. Even then, any data that attackers may have managed to stash before then is still vulnerable, and it always will be.
As long as the vulnerable version of OpenSSL is in use it can be abused.
Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
According to Life Hacker, it is estimated that over 66% of the web uses OpenSSL, so a good portion of the web may be vulnerable. You can test certain sites using this tool, though it won't answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but check their respective blogs for any recent updates—and keep in mind they may have been vulnerable sometime in the past two years (Google and Facebook, for example, are not listed as currently vulnerable, but have yet to issue any official statements).
Comments
