1 Panic on web as Heartbleed bug leaves millions of users vulnerable ~ "TAKE NO AS A QUESTION "

Wednesday, 9 April 2014

Panic on web as Heartbleed bug leaves millions of users vulnerable

Panic on web as Heartbleed bug leaves millions of users vulnerable

Panic on web as Heartbleed bug leaves millions of users vulnerable
The bug, dubbed Heartbleed, “allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software”.
NEW DELHI: Web administrators and computer security researchers on Tuesday scrambled to fix a serious vulnerability in OpenSSL encryption used by thousands of web servers, including those run by email and web chat providers. The bug, dubbed Heartbleed, "allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software". 

In other words hackers or cyber criminals can use the Heartbleed bug to steal private encryption keys from a server that is using OpenSSL protocols of SSL/TLS encryption and then snoop on the user data, including passwords. There are reports that servers of Yahoo, Imgur and Flickr have been affected. However, this is around two-year-old bug and hence no one knows for sure how many people have exploited it at how many servers have been compromised. 

The bug is so serious and widespread that Tor Project, which manages the anonymous Tor network, has advised web users to go offline for a while. "If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," it said in a blog post. 

OpenSSL Project has created a website called www.heartbleed.com to inform web users and web masters about the bug."The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," explained a note posted on the website. 

In a separate note OpenSSL Project said that the bug was discovered by Neel Mehta, a security researcher working with Google. It also said the "affected users should upgrade to OpenSSL 1.0.1g". The key bit to note here is that by users OpenSSL doesn't mean the web users but web server administrators who use OpenSSL protocols. 
The reason why the Heartbleed bug has caused panic among server administrators and security researchers is because how it affects servers. "This bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," explained the Heartbleed website. "Leaked (private) secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will." 

In an answer to a question — Am I affected by the bug? — the OpenSSL website notes, "you are likely to be affected either directly or indirectly". 

"OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS," noted the website.



Hi guys If u like this post please leave a comment in comment box... comment box will top right of every post and bottom of every post. its useful for me give a better information.. check top of the blog there is menu bar in that go to comments i replied for u r comments because there is no direct option for reply for u r comments. if u want to give any suggestion in bottom of blog there is contact information option please leave a msgs with u r mail id sure i will get u.


0 comments:

Post a Comment

HTML Comment Box is loading comments...
MARUTHU Copyright@2014. Powered by Blogger.