Heartbleed bug opens up security vulnerabilities in OpenSSL

A new security vulnerability dubbed 'heartbleed' has been found in OpenSSL - the cryptographic library used to secure Internet traffic. With OpenSSL being used by software such as Apache, which powers the majority of web servers - this has got a lot of people very worried. 

The vulnerability identified by researchers working for Google and Codenomicon is reported to allow attackers to reveal 64kb of memory at a time on servers that are using the Heartbleed extension. This memory could contain all sorts of secure data including secret keys used to encrypt communication. Possession of this could allow attackers to read what should be encrypted data - this could be information as sensitive as user credentials or credit card information. As a result, this affects pretty much everyone that uses the Internet - a huge amount of the sites and services used online will be relying on OpenSSL to protect user privacy and data sent to them.

"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication" Heartbleed.com

System administrators are now rushing to patch their servers with a fixed version of OpenSSL (1.0.1g) or by recompiling OpenSSL without the heartbleed extension that is causing the issue.

How can I test if my server is affected?

The vulnerability has actually been in systems since December 2011 and affects versions of OpenSSL from 1.0.1 through to 1.0.1f. If you want to check your server, security expert Filippo Valsorda put together a useful tool online. 

The bigger picture 

In the short-term the immediate focus will be on patching all vulnerable servers as quickly as possible now that the cat's out of the bag. But when the dust settles a lot of questions will need answering; if the vulnerability has been in place since 2011, how can we can we have confidence in what systems and data haven't already been comprimised? 

To read more on this bug you can find it fully documented on heartbleed.com.

Sources:

Heartbleed.com

Cloudflare - Staying ahead of OpenSSL Vulnerabilities 

Sign Up

NEXT: Protecting your email account from being hacked

What happens when someone steals your password and gains access to your email address? Hacked email accounts and identity theft are all too common these days, and being a victim can cause you all sorts of problems. This article looks at some steps you can take to protect yourself.

comments powered by Disqus
Sign Up

Popular Tags

350x250

Need a web developer?

If you'd like to work with code synthesis on your next project get in touch via the contact page.