Misplaced Pages

Heartbleed

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

This is an old revision of this page, as edited by Petter Strandmark (talk | contribs) at 16:57, 9 April 2014 (Replacing with text from OpenSLL instead.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Revision as of 16:57, 9 April 2014 by Petter Strandmark (talk | contribs) (Replacing with text from OpenSLL instead.)(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

The Heartbleed Bug is a bug in the open-source library OpenSSL which allows an attack to read the memory of a web server.

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160.

The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.

The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.

Government site affected

Canada

The Canadian Revenue Agency (CRA) closed-down its electronic services website over Heartbleed bug security concerns.

References

  1. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved 8 April 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. OpenSSL (2014-04-07). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved 2014-04-08.
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  4. ^ Codenomicon Ltd (2014-04-08). "Heartbleed Bug". Retrieved 2014-04-08.
  5. Goodin, Dan (2014-04-08). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved 2014-04-08.
  6. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
  7. Mutton, Paul (8 April 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved 8 April 2014.
  8. "Security concerns prompts tax agency to shut down website". CTV News. 2014-04-09. Retrieved 2014-04-09.
  9. "How widespread is this?", www.heartbleed.com. April 08, 2014. Web
  10. "Why it is called the Heartbleed Bug?", www.heartbleed.com. April 08, 2014. Web
  11. "What versions of the OpenSSL are affected?", www.heartbleed.com. April 08, 2014. Web
  12. "The security experts...", www.beforeitsnews .com. April 08, 2014. Web


This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
This article needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (April 2014)
Categories: