Heartbleed: What You Should Know

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.” Not only is this one of the most talked about bugs in the history of the internet, it was quoted as being “a, 11/10 on a severity scale” by Bruce Schneier. This bug has been out since 2011, which makes it so much worse.

SSL and it’s younger brother TLS are both encryption tools used to encode web traffic. About 66 percent of the internet currently use an open-source version of this tool known as OpenSSL. OpenSSL works with key pairs between you and the server to encrypt data so that none of your information is view-able in plain text. Every so often the server sends out a heartbeat, which asks the user if it’s still there. Here’s where the bug lies:

When this heartbeat takes place, data is being exchanged. The vulnerability lies in the fact that through this vulnerability you can request 64kb of memory, which typically holds a password, account names, account numbers or your private key.

If a third party gets your private key, SSL is useless. All of your web traffic is now view-able in plain text by the person who holds your key. If they get your password or credit card information — well, that’d be pretty bad, too.

But there are measures being taken. Programmers have already patches this vulnerability is OpenSSL, but the System Admins have to apply the patch, which isn’t that easy. There are also sites that will tell you if you’re vulnerable still.

Sources:
http://heartbleed.com/
https://lastpass.com/heartbleed/

Advertisements

4 thoughts on “Heartbleed: What You Should Know

  1. I am surprised there was not a bigger deal made out of all of this or at least I have not heard more about this issue as it seems very serious and destructive.

  2. The shock and awe comes from the fact that this bug was present since 2011 and we are now just finding out about it. I find it amazingly shocking that this could go undetected for 3 years.

  3. This coincides some with the secret and lies book we are reading now. Are digital attacks worse that physical attacks? With something like this would certainly be worse. What is even more scary is the fact that this bug has been around for 3 years.

  4. It’s relieving to hear that big sites such as Amazon use their own version of SSL so as not to fall victim to this.

Comments are closed.