How did the Heartbleed bug come about

Password access: Heartbleed vulnerability with catastrophic consequences

It gradually becomes clear what damage has already occurred or will be caused by the fatal security gap in the OpenSSL crypto framework. In a review of the 10,000 most visited websites according to Alexa, 628 servers allowed intimate insights into their memory on Tuesday afternoon. These include all kinds of prominent names such as HypoVereinsbank, Yahoo, Flickr, Kaspersky, the payment processor AfterBuy, Yahoo, Sparkasse.at, BitTorrent and many more. Yesterday, Tuesday, we reported on the vulnerability of Adobe, Web.de, VeriSign and others. The list can be continued indefinitely.

Stragglers

What is particularly bitter, however, is that numerous services were still vulnerable during random checks on Wednesday afternoon. For example, the storage service Rapidshare.com has revealed details about the download behavior of its users through the gap, and with Synology's DynDNS service, email addresses and user passwords were still available until recently. Both companies only reacted after heise Security had informed them of the acute security problem.

Data leak

Basically, you have to consider all confidential data that has passed through the server as compromised. An attacker gets the sensitive data served on a silver platter because he gets a glimpse of all things into the OpenSSL storage area. The area of ​​the memory that can be accessed through the gap can contain not only clear text access data, but also session IDs and even the private keys that the servers use to encrypt SSL traffic. An attacker who has already recorded encrypted data traffic in the past can use it to subsequently decrypt it (unless the server operator has activated Perfect Forward Secrecy).

Need for action

The first cases of abuse are also known. So has about Ars Technicaurged all of its readers to change their passwords after the number of hacked accounts increased. Anyone who operates a server running a vulnerable OpenSSL version with an active heartbeat function should first update the crypto library and then renew the private keys and certificates used on the server.

According to data from the statistics company Netcraft, Heartbeat is active on almost 18 percent of all web servers that use SSL. The company sees around half a million website certificates at risk. The number could be even higher since Netcraft only examined web servers. However, mail servers and the like can also be susceptible. (rei)

Read comments (405) Go to homepage