Misplaced Pages

Heartbleed: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 17:00, 9 April 2014 editEnquire (talk | contribs)Extended confirmed users, IP block exemptions4,010 edits Create EL, with Codenomicon primary links← Previous edit Revision as of 17:03, 9 April 2014 edit undoEnquire (talk | contribs)Extended confirmed users, IP block exemptions4,010 edits delete spurious "references" that are actualy quotes from the cited heartbleed.com page in ELNext edit →
Line 19: Line 19:
}}</ref> }}</ref>
==References== ==References==
<ref>
"How widespread is this?", www.heartbleed.com. April 08, 2014. Web
</ref>
<ref>
"Why it is called the Heartbleed Bug?", www.heartbleed.com. April 08, 2014. Web
</ref>
<ref>
"What versions of the OpenSSL are affected?", www.heartbleed.com. April 08, 2014. Web
</ref>
<ref>
"The security experts...", www.beforeitsnews .com. April 08, 2014. Web
</ref>
<references /> <references />
<!--- After listing your sources please cite them using inline citations and place them after the information they cite. Please see http://en.wikipedia.org/Wikipedia:REFB for instructions on how to add citations. ---> <!--- After listing your sources please cite them using inline citations and place them after the information they cite. Please see http://en.wikipedia.org/Wikipedia:REFB for instructions on how to add citations. --->

Revision as of 17:03, 9 April 2014

The Heartbleed Bug is a bug in the open-source library OpenSSL which allows an attack to read the memory of a web server.

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160.

The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.

The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.

Government sites affected

Canada

The Canadian Revenue Agency (CRA) closed-down its electronic services website over Heartbleed bug security concerns.

References

  1. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved 8 April 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. OpenSSL (2014-04-07). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved 2014-04-08.
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  4. ^ Codenomicon Ltd (2014-04-08). "Heartbleed Bug". Retrieved 2014-04-08.
  5. Goodin, Dan (2014-04-08). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved 2014-04-08.
  6. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
  7. Mutton, Paul (8 April 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved 8 April 2014.
  8. "Security concerns prompts tax agency to shut down website". CTV News. 2014-04-09. Retrieved 2014-04-09.


External links

This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
This article needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
Categories: