Misplaced Pages

Heartbleed: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 16:57, 9 April 2014 editPetter Strandmark (talk | contribs)318 edits Replacing with text from OpenSLL instead.← Previous edit Revision as of 17:00, 9 April 2014 edit undoEnquire (talk | contribs)Extended confirmed users, IP block exemptions4,010 edits Create EL, with Codenomicon primary linksNext edit →
Line 7: Line 7:
The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including ]s and passwords, which might allow attackers to ] of another user of the service.<ref name="ipsec">{{cite web |url=http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |title=Why Heartbleed is dangerous? Exploiting CVE-2014-0160 |date=2014 |publisher=IPSec.pl}}</ref> At its disclosure, some 17% or half a million of the Internet's secure ] certified by ] were believed to have been vulnerable to the attack.<ref>{{cite web|last=Mutton|first=Paul|title=Half a million widely trusted websites vulnerable to Heartbleed bug|url=http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|publisher=Netcraft Ltd.|accessdate=8 April 2014|date=8 April 2014}}</ref> The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including ]s and passwords, which might allow attackers to ] of another user of the service.<ref name="ipsec">{{cite web |url=http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |title=Why Heartbleed is dangerous? Exploiting CVE-2014-0160 |date=2014 |publisher=IPSec.pl}}</ref> At its disclosure, some 17% or half a million of the Internet's secure ] certified by ] were believed to have been vulnerable to the attack.<ref>{{cite web|last=Mutton|first=Paul|title=Half a million widely trusted websites vulnerable to Heartbleed bug|url=http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|publisher=Netcraft Ltd.|accessdate=8 April 2014|date=8 April 2014}}</ref>


==Government site affected== ==Government sites affected==


===Canada=== ===Canada===
Line 39: Line 39:


<!--- STOP! Be warned that by using this process instead of Articles for Creation, this article is subject to scrutiny. As an article in "mainspace", it will be DELETED if there are problems, not just declined. If you wish to use AfC, please return to the Wizard and continue from there. ---> <!--- STOP! Be warned that by using this process instead of Articles for Creation, this article is subject to scrutiny. As an article in "mainspace", it will be DELETED if there are problems, not just declined. If you wish to use AfC, please return to the Wizard and continue from there. --->

==External links==
* ] home page
:* Heartbleed bug security page, hosted by Codenomicon


{{uncategorised|date=April 2014}}{{cat improve|date=April 2014}} {{uncategorised|date=April 2014}}{{cat improve|date=April 2014}}

Revision as of 17:00, 9 April 2014

The Heartbleed Bug is a bug in the open-source library OpenSSL which allows an attack to read the memory of a web server.

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160.

The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.

The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.

Government sites affected

Canada

The Canadian Revenue Agency (CRA) closed-down its electronic services website over Heartbleed bug security concerns.

References

  1. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved 8 April 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. OpenSSL (2014-04-07). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved 2014-04-08.
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  4. ^ Codenomicon Ltd (2014-04-08). "Heartbleed Bug". Retrieved 2014-04-08.
  5. Goodin, Dan (2014-04-08). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved 2014-04-08.
  6. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
  7. Mutton, Paul (8 April 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved 8 April 2014.
  8. "Security concerns prompts tax agency to shut down website". CTV News. 2014-04-09. Retrieved 2014-04-09.
  9. "How widespread is this?", www.heartbleed.com. April 08, 2014. Web
  10. "Why it is called the Heartbleed Bug?", www.heartbleed.com. April 08, 2014. Web
  11. "What versions of the OpenSSL are affected?", www.heartbleed.com. April 08, 2014. Web
  12. "The security experts...", www.beforeitsnews .com. April 08, 2014. Web


External links

This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
This article needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
Categories: