Misplaced Pages

Heartbleed: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 17:03, 9 April 2014 editEnquire (talk | contribs)Extended confirmed users, IP block exemptions4,010 edits delete spurious "references" that are actualy quotes from the cited heartbleed.com page in EL← Previous edit Revision as of 17:14, 9 April 2014 edit undoW. P. Uzer (talk | contribs)Extended confirmed users8,600 editsm Government sites affectedNext edit →
Line 10: Line 10:


===Canada=== ===Canada===
The ] (CRA) closed-down its electronic services website over Heartbleed bug security concerns.<ref>{{cite news The ] (CRA) closed down its electronic services website over Heartbleed bug security concerns.<ref>{{cite news
| title = Security concerns prompts tax agency to shut down website | title = Security concerns prompts tax agency to shut down website
| url = http://www.ctvnews.ca/canada/security-concerns-prompts-tax-agency-to-shut-down-website-1.1767727 | url = http://www.ctvnews.ca/canada/security-concerns-prompts-tax-agency-to-shut-down-website-1.1767727
Line 18: Line 18:
| accessdate = 2014-04-09 | accessdate = 2014-04-09
}}</ref> }}</ref>

==References== ==References==
<references /> <references />

Revision as of 17:14, 9 April 2014

The Heartbleed Bug is a bug in the open-source library OpenSSL which allows an attack to read the memory of a web server.

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160.

The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.

The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.

Government sites affected

Canada

The Canadian Revenue Agency (CRA) closed down its electronic services website over Heartbleed bug security concerns.

References

  1. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved 8 April 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. OpenSSL (2014-04-07). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved 2014-04-08.
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  4. ^ Codenomicon Ltd (2014-04-08). "Heartbleed Bug". Retrieved 2014-04-08.
  5. Goodin, Dan (2014-04-08). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved 2014-04-08.
  6. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
  7. Mutton, Paul (8 April 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved 8 April 2014.
  8. "Security concerns prompts tax agency to shut down website". CTV News. 2014-04-09. Retrieved 2014-04-09.


External links

This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
This article needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
Categories: