SSL, short for Secure Sockets Layer, is what puts the S in HTTPS. Savvy users know to look for HTTPS in the address bar before entering any sensitive information on a website. Our SecurityWatch posts frequently chastise Android apps that transmit personal data without using SSL. Alas, the recently discovered "Heartbleed" bug allows attackers to intercept SSL-protected communication.
The bug is called Heartbleed because it piggybacks on a feature called heartbeat, affects specific versions of the widely-used OpenSSL cryptographic library. According to the <a href="http://heartbleed.com/" target="_blank">website</a> that was created to report on Heartbleed, the combined market share of the two biggest open source Web servers using OpenSSL is more than 66 percent. OpenSSL is also used to secure email, chat servers, VPNs, and "a wide variety of client software." It's all over the place.
It's Bad, Really Bad
An attacker taking advantage of this bug gains the ability to read data stored in the affected server's memory, including the all-important encryption keys. The names and passwords of users and the totality of the encrypted content can also be captured. According to the site, "This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
The site goes on to note that capturing secret keys "allows the attacker to decrypt any past and future traffic to the protected services." The only solution is to update to the very latest version of OpenSSL, revoke the stolen keys, and issue new keys. Even then, if the attacker intercepted and stored encrypted traffic in the past, the captured keys will decrypt it.
What Can Be Done
This bug was discovered independently by two different groups, a pair of researchers from Codenomicon and a Google security researcher. Their strong suggestion is that OpenSSL release a version that completely disables the heartbeat feature. With that new edition rolled out, vulnerable installations could be detected because only they would respond to the heartbeat signal, allowing "large scale coordinated response to reach owners of vulnerable services."
The security community is taking this problem seriously. You'll find notes about it on the <a href="http://www.us-cert.gov/ncas/current-activity/2014/04/08/OpenSSL-Heartbleed-Vulnerability?utm_source=twitterfeed&utm_medium=twitter" target="_blank">US-CERT</a> (United States Computer Emergency Readiness Team) website, for example. You can test your own servers <a href="http://filippo.io/Heartbleed/" target="_blank">here</a> to see if they're vulnerable.
No comments:
Post a Comment