How did the Heartbleed bug come about
Password access: Heartbleed vulnerability with catastrophic consequences
It gradually becomes clear what damage has already occurred or will be caused by the fatal security gap in the OpenSSL crypto framework. In a review of the 10,000 most visited websites according to Alexa, 628 servers allowed intimate insights into their memory on Tuesday afternoon. These include all kinds of prominent names such as HypoVereinsbank, Yahoo, Flickr, Kaspersky, the payment processor AfterBuy, Yahoo, Sparkasse.at, BitTorrent and many more. Yesterday, Tuesday, we reported on the vulnerability of Adobe, Web.de, VeriSign and others. The list can be continued indefinitely.
What is particularly bitter, however, is that numerous services were still vulnerable during random checks on Wednesday afternoon. For example, the storage service Rapidshare.com has revealed details about the download behavior of its users through the gap, and with Synology's DynDNS service, email addresses and user passwords were still available until recently. Both companies only reacted after heise Security had informed them of the acute security problem.
Basically, you have to consider all confidential data that has passed through the server as compromised. An attacker gets the sensitive data served on a silver platter because he gets a glimpse of all things into the OpenSSL storage area. The area of the memory that can be accessed through the gap can contain not only clear text access data, but also session IDs and even the private keys that the servers use to encrypt SSL traffic. An attacker who has already recorded encrypted data traffic in the past can use it to subsequently decrypt it (unless the server operator has activated Perfect Forward Secrecy).
Need for action
The first cases of abuse are also known. So has about Ars Technicaurged all of its readers to change their passwords after the number of hacked accounts increased. Anyone who operates a server running a vulnerable OpenSSL version with an active heartbeat function should first update the crypto library and then renew the private keys and certificates used on the server.
According to data from the statistics company Netcraft, Heartbeat is active on almost 18 percent of all web servers that use SSL. The company sees around half a million website certificates at risk. The number could be even higher since Netcraft only examined web servers. However, mail servers and the like can also be susceptible. (rei)Read comments (405) Go to homepage
- How do you eat millet
- What's coming with the Nintendo Switch
- What is the song that you always return to
- Which companies besides PayPal use KrakenJS
- Why does marble feel cold?
- What is Synthetic CPH4
- Why is there a curfew in Ayodhya?
- Do you like MSP
- Grows Quora faster than Twitter
- Why haven't patent descriptions been modernized?
- What does El Paso mean in Spanish
- Which branch of the military handles communication?
- Multimedia What is AV
- What are dragons used for?
- What software is used in the VFX industry
- You can share music
- What language do you use when thinking
- Who is Louis Hofmann
- Which is more important justice or forgiveness
- What is gold resistant for?
- How do I heat naan bread
- What is a Fast Track Course
- Blurred speech and aphasia are alike
- Are people with ASD more patient