Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Heartbleed Bug Reminds Admins to Patch OpenSSL

By - Source: Toms IT Pro

A substantial security vulnerability has been identified in several versions of OpenSSL, the widely used SSL/TLS toolkit and cryptography library. The vulnerability, known as the Heartbleed bug (CVE-2014-0160), threatens to leak small amounts of information at a time to attackers, possibly accumulating into a large-scale security breach. Vulnerable versions of OpenSSL include 1.0.1 through 1.0.1f, as well as 1.0.2-beta and 1.0.2-beta1.

According to heartbleed.com, "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

The Heartbleed bug is essentially a forced memory leak. Those utilizing the TLS heartbeat extension lack a necessary bounds check, meaning attackers could look at up to 64 kilobytes of memory from vulnerable sites.  According to a recent Netcraft SSL use survey, 17.5 percent of SSL sites use the heartbeat extension.

The heartbleed.com site even tested the vulnerability on itself. "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Protect Your Website from Heartbleed

The scale of this security threat is massive. It seems as though Apache and nginx websites are most likely to use OpenSSL and collectively run 66 percent of active sites. Not every one of these sites is a security risk as some of them run updated versions of OpenSSL or aren't even running an HTTPS service.

For sites that may be vulnerable, here's how you can protect your sites from the bug:

  1. A current list of tested sites is available on GitHub.
  2. Use the URL testing tool at filippo.io/Heartbleed to find out if a site is still vulnerable. 
  3. If you're a website owner using OpenSSL, get the patched version of the toolkit, 1.0.1g, available at www.openssl.org. Sites using OpenSSL are encouraged to contact their users to keep them up to date on their security status. Take care of the security patch first and tell your users what steps to take next.

RELATED:

[Shutterstock Image Credit]

Comments