The
Heartbleed bug is a serious vulnerability in the popular OpenSSL
cryptographic software library and this weakness allows stealing the
information protected under normal conditions by the SSL/TLS
encryption used to secure the internet. SSL/TLS provides
communication security and privacy over the Internet for applications
such as web, email, instant messaging (im) and some virtual private
networks (VPNs).
The
Heartbleed bug allows everyone on the internet to read the memory of
the systems protected by the vulnerable versions of the OpenSSL
software. This compromises the secret keys used to identify the
service providers and to encrypt the traffic, names and passwords of
the users and the actual content. This allows attackers to eavesdrop
on communications, steal data directly from the services and users
and impersonate services and users.
Although
OpenSSL is very popular there are other SSL/TLS options. In addition
some web sites use an earlier unaffected version and some didn't
enable the heartbeat feature that was central to the vulnerability.
While
the implementation of perfect forward secrecy or PFS, a practice that
makes sure encryption keys have a very short shelf life, and are not
used forever reduces the impact of the potential damage, but it
doesn't solve the problem. That means if an attacker got an
encryption key from a server's memory, the attacker will not be able
to decode all secure traffic from that server because keys use is
very limited. While some tech giants like Google and Facebook have
started to support PFS, not every company supports it.
How
to avoid being affected:
- Do not log into accounts from afflicted sites until you are sure that the company has patched the problem
- You can check sites on an individual basis using checkers such as https://lastpass.com/heartbleed/
- When you received confirmation of a security patch, change passwords of sensitive accounts
- Monitor your account statements for the next few days in case of any of your accounts was affected
No comments:
Post a Comment