It's a serious vulnerability in OpenSSL, a popular library used to encrypt and secure various web, email and other connections.
Essentially, by passing an incorrect value to an OpenSSL extension, an attacker can read up to 64KB of the host's memory. The process can be repeated to read more RAM, exposing names, passwords, content and any other data: you have no protection at all.
2. How widespread is it?
The good news: this is not a fundamental problem with the core SSL/TLS technology. It's down to a specific bug in one implementation, OpenSSL release 1.0.1, released March 14, 2012, which was fixed in OpenSSL 1.0.1g on April 7 2014.
The bad news: OpenSSL is the standard encryption library used by Apache and nginx, the two most commonly-used web servers around, responsible for protecting more than 70% of the web's busiest sites.
This isn't just a matter where you can assume you're safe on a big-name site, then: most companies will have been vulnerable.
3. Has anyone used Heartbleed in an attack?
The exploit was discovered independently by researchers at Google and the Finnish security firm Codenomicon, not by monitoring hacker activity, so there's no evidence that it's been utilised in real life.
The problem is that the attack leaves no footprint, though, no trace in the logs, so there's no way to be sure. You should assume that anything you think you've communicated securely, in the last two years, might have been compromised.
4. Are websites safe now?
Maybe. The bug was fixed in OpenSSL 1.0.1g, released on April 7. But that doesn't mean too much, because websites must install the update first, and reboot (or restart several services), which means it's probably not going to happen automatically.
Big sites, or any which are actively managed, should be fixed by now. But others may remain vulnerable for much, much longer.
5. Can I check a site for the Heartbleed bug?
Yes. There's a specific Heartbleed test page, and Qualys has added Heartbleed checking to its SSL Server Test. In both cases, just enter the host name of any server you're worried about, click the "Go"/ "Submit" button and wait for a verdict.
Beware, though, with the current fuss both pages are getting a lot of traffic, and we found they occasionally refused us access. If you have problems, try again later.
0 comments:
Post a Comment