Misplaced Pages

Heartbleed: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 16:55, 9 April 2014 editEnquire (talk | contribs)Extended confirmed users, IP block exemptions4,010 edits create section for major government website affected← Previous edit Revision as of 16:57, 9 April 2014 edit undoPetter Strandmark (talk | contribs)318 edits Replacing with text from OpenSLL instead.Next edit →
Line 1: Line 1:
The '''Heartbleed Bug''' is a bug in the open-source library ] which allows an attack to read the memory of a ].
{{Multiple issues|{{cleanup|date=April 2014|reason=verification, wikifying, links to other pages (currently orphan)}}{{dead end|date=April 2014}}{{orphan|date=April 2014}}{{advert|date=April 2014}}}}


On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling ] in their implementation of the ] Heartbeat Extension.<ref>{{cite web|title=Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension|url=https://tools.ietf.org/html/rfc6520|work=RFC 6520|publisher=Internet Engineering Task Force (IETF)|accessdate=8 April 2014|author=Seggelmann, R. et al.|date=February 2012}}</ref> This defect could be used to reveal up to 64&nbsp;]s of the application's memory with every ].<ref>{{Cite web| last = OpenSSL| title = TSL heartbeat read overrun (CVE-2014-0160)| accessdate = 2014-04-08| date = 2014-04-07| url = https://www.openssl.org/news/secadv_20140407.txt}}</ref> Its ] is CVE-2014-0160.<ref>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</ref>
The Internet and the Heartbleed Bug.
For certain security reasons, about 66 percent of the internet including the worldwide web, and its constituent websites use security features to protect data access and transfer between servers, individual users, or either between the former and the latter. The Heartbleed Bug has proven to be "lethal" and so measures are being employed to counter the "infection".


The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012.<ref name="hb">{{Cite web| last = Codenomicon Ltd| title = Heartbleed Bug| accessdate = 2014-04-08| date = 2014-04-08| url = http://heartbleed.com/}}</ref><ref>{{Cite web| last = Goodin| first = Dan| title = Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping| work = Ars Technica| accessdate = 2014-04-08| date = 2014-04-08| url = http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/}}</ref> By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's ],<ref name="hb"/> which enables attackers to break the encryption of the server's earlier ] communications and thereby implement a ] attack.
<!--- Write your article below this line --->
It is called heart bleed because:
Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server, as reported on the www.heartbleed.com


The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including ]s and passwords, which might allow attackers to ] of another user of the service.<ref name="ipsec">{{cite web |url=http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |title=Why Heartbleed is dangerous? Exploiting CVE-2014-0160 |date=2014 |publisher=IPSec.pl}}</ref> At its disclosure, some 17% or half a million of the Internet's secure ] certified by ] were believed to have been vulnerable to the attack.<ref>{{cite web|last=Mutton|first=Paul|title=Half a million widely trusted websites vulnerable to Heartbleed bug|url=http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|publisher=Netcraft Ltd.|accessdate=8 April 2014|date=8 April 2014}}</ref>
Several websites, including many well known ones have been affected but quite a few famous ones such as craigslist.org, Facebook.com and Google, among others are protected and not vulnerable to this bug. This internet security problem is a bug: yet, not a design flaw and it occurs in the implementation of the OpenSSL.

It was reported as early as on the 7th April, 2014.

As reported by heartbleed.com:

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

The security experts say the Internet will remain vulnerable as long as the flawed version of OpenSSL is in use. Although Fixed OpenSSL has been released, it must be deployed, according to beforeitsnews.com

''Digg.com'' writes that, "The Heartbleed bug is a just-discovered vulnerability in the immensely popular OpenSSL cryptographic software library. OpenSSL is the most widely used implementation of a suite of security protocols called Secure Sockets Layer (SSL) that help encrypt traffic while surfing the web."<ref>{{cite web|last=Petri|first=Josh|title=Explaining The Terrifying Bug That Just Exposed A Huge Portion Of The Internet's Secrets|url=http://digg.com/2014/heartbleed-explain-bug-openssl|publisher=Digg.com|accessdate=9 April 2014|year=8 April 2014}}</ref>


==Government site affected== ==Government site affected==

Revision as of 16:57, 9 April 2014

The Heartbleed Bug is a bug in the open-source library OpenSSL which allows an attack to read the memory of a web server.

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160.

The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.

The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.

Government site affected

Canada

The Canadian Revenue Agency (CRA) closed-down its electronic services website over Heartbleed bug security concerns.

References

  1. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved 8 April 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. OpenSSL (2014-04-07). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved 2014-04-08.
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  4. ^ Codenomicon Ltd (2014-04-08). "Heartbleed Bug". Retrieved 2014-04-08.
  5. Goodin, Dan (2014-04-08). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved 2014-04-08.
  6. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
  7. Mutton, Paul (8 April 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved 8 April 2014.
  8. "Security concerns prompts tax agency to shut down website". CTV News. 2014-04-09. Retrieved 2014-04-09.
  9. "How widespread is this?", www.heartbleed.com. April 08, 2014. Web
  10. "Why it is called the Heartbleed Bug?", www.heartbleed.com. April 08, 2014. Web
  11. "What versions of the OpenSSL are affected?", www.heartbleed.com. April 08, 2014. Web
  12. "The security experts...", www.beforeitsnews .com. April 08, 2014. Web


This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
This article needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
Categories: