The flaw in OpenSSL for two years has compromised the security of SSL/TTL, possibly allowed unsafe encrypted communications. Most of the regular readers of this website, for the third time in this website’s ~5 years history, was not updating the articles – this website’s article part has no HTTPS urls, then what made many websites like us to pause and take a deeper breath? While most of the OpenSSL and the Heartbleed Bug has been fixed, there are still unknown, undiscovered services which can suddenly take any website’s security to off. Notification about OpenSSL Vulnerability (CVE-2014-0160) rather synonymous to commonman as HeartBleed was publicly known to the system administrators on 8th April, 2014. Today is 14th April. Yet, the red alert about OpenSSL and the Heartbleed Bug has not waned off.
OpenSSL, Heartbleed Bug : The Technical Part in Brief
OpenSSL is the Open Source implementations of SSL network protocols. If you want to read about the basics on OpenSSL, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) etceteras basic topics, please follow the corresponding linked articles. The question might arrive in your mind, OpenSSL is Free Software option, when we need to bother when actually most website uses a Paid SSL Certificate? If you have a quick look through our guide – How To Install SSL Certificate on Rackspace Cloud Server; you’ll realize the fact – without OpenSSL it is not really possible to implement any paid certificate.
The Heartbleed Bug has become the symbol of the vulnerability discovered by an independent security company, Codenomicon, in collaboration with a researcher Google, Neel Mehta.
OpenSSL, Heartbleed Bug : Protocols (in) security?
The bug is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed. OpenSSL is a security software that deals to encrypt certain sensitive data – making them not to be intercepted by malicious people and then protect them until their arrival in the destination server takes place.
The use of SSL and TTL is now a common practice on the web, especially with regard to services or more generally in areas that require a high level of security like, e-commerce sites, banks multichannel recordings, social networks, email and instant messaging services etc. Padlock icon that appears at the top right in our browser and operating protocols is just to certify that, once certain data is sent, these can not be intercepted / read by the third parties as they are encrypted and viewable only by the recipient of the information on the server that has the corresponding decryption key.
// see diff
Earlier, when the PRISM / Malware activities of Governmental agencies were discovered, people switched to SSL / TLS as the cost of decrypting data will be so high that they will probably not read our private data. So, the discovered things has much importance than thought on 8th April, just like Millions of Android devices found to be unsafe.
With the serious bug found in one of the OpenSSL libraries, all the precautionary measures taken by the protocols. Heartbleed allows the attackers to read memory systems designed to be protected and allows to capture information present in it (from personal password to the decryption keys used by the same server) or intercept any data transit (email, messaging, etc). It is therefore a serious problem and should not be underestimated. Nearly 66% of websites could be affected by this vulnerability: OpenSSL is in fact is the default encryption solution for Apache and nginx.
The OpenSSL version is plagued by Heartbleed 1.0.1f released about two years ago. Following the discovery of Codenomicon was released a security update (1.0.1g) designed just for “to patch” to the problem. The only viable solution is then to apply the patch termination and effectively spread the news so decrease the number of individuals attacked.
As for the high-sounding names, “in the first place” have been confirmed as vulnerable, until the last-update, the website of the FBI (!), Yahoo (even though most of the servers have been updated now) the well-known image hoster Imgur, OKCupid and Eventbrite, Amazon (some parts of the infrastructure have been patched). It is not clearly known why Google, Twitter and Facebook either were not affected by the problem or hidden the facts. Anyway it is recommended to change the old passwords. The curious readers can also consult the list that Github is currently drafting. SoundCloud was also affected. The bug has been available to hackers for almost two years and a series of thefts may already have been done without leaving any trace. Most speculate that this vulnerability was also used by the U.S. intelligence services, such as the NSA, for the illegal acquisition of information, but this is obviously just conjecture and supposition. Not to forget the coincidence, Google, Twitter and Facebook were not affected and they were fired first by the mass users for supplying personal data of the users to NSA.