![]() ![]() ![]() In the worst-case scenario, this small block of memory may contain something sensitive – user names, passwords, or even the private key which is used by the server to keep your connection encrypted. In other words, the flaw could have enabled anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library. Earlier this week, the maintainers of OpenSSL released a fix for a serious bug in the implementation of TLS feature called “Heartbeat,” which could potentially reveal up to 64 kB of server memory to an attacker. Many popular web servers utilize the open-source OpenSSL library to do this job for them. When you establish an encrypted connection to a website, whether it’s Google, Facebook, or your bank’s online branch, the data is encrypted using the SSL/TLS protocol. If you’re a bit confused about what this all means, don’t worry, I am going to attempt to unpack the whole story in the next 500 words or so. Such was the case yesterday morning, with the story of a serious encryption flaw – dubbed Heartbleed – in OpenSSL, perhaps the most widely deployed encryption library on the Internet. You know a security vulnerability is a serious one when NPR’s David Green leads into the 8 AM hour of Morning Edition talking about it. UPDATE #2: The post is updated with the list of affected services which officially recommend to change users’ passwords. A spokesperson from that site reached out to us claiming that their users are not affected, and we removed them from the list of affected sites accordingly. UPDATE: A previous version of this article stated – citing a list on Github – that users on a site called HideMyAss were affected by Heartbleed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |