Let’s Encrypt the Internet hole, Heartbleed bug
Its time to encrypt the entire internet. “Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into? The kinds of bad things it enables is largely limited only by the imagination of the bad guys”, said a cyber security scholar at the Washington-based Atlantic Council, Jason Healey.
The Heartbleed bug put many consumers’ user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, an encryption technology used widely by businesses to protect sensitive data.
Some estimates, the bug affected as much as two-thirds of the Internet; the flaw prompted thousands of Web users to change their passwords on Google, Yahoo, Facebook and other major services.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
When you visit a secure site, your browser checks the site’s security certificate against a list of invalidated certificates. Depending on how it is designed, the browser probably downloads that list to your computer. Because sites rarely change their certificates, the lists are relatively short.
Immediately after the discovery of the bug on 3rd of April 2014, the Heartbleed bug was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem. NCSC-FI took up the task of verifying it, analyzing it further and reaching out to the authors of OpenSSL, software, operating system and appliance vendors, which were potentially affected.
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. It may slow web speed.
Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. Here, Test your server for Heartbleed.
Update: 16th April 2014
Heartbleed hack case sees first arrest in Canada
Enjoyed this ! Speak your Mind below & Share it along.