What is SSL?
SSL is a popular encryption technology to protect user privacy information transmitted via the Internet. When a user visits a secure Web site, such as Gmail.com, you will see a “lock” in the next URL address, show that you communicate information on the site is encrypted.
??This “lock” indicates that a third party can not read any communication of information between you and the site. In the background, through SSL encrypted data can be decrypted only recipient. If criminals monitor the user’s conversation, we can only see a bunch of random string, and can not understand email, Facebook posts, credit card numbers or other private information of the specific content.
SSL was first launched by Netscape in 1994, has been adopted by all major browsers since the 1990s. In recent years, many large network services have been the default use of this technology to encrypt data. Today, Google , Yahoo and Facebook are using the default SSL to encrypt their websites and web services.
What is a “bleeding heart” loophole?
Most SSL-encrypted websites using open source software package called for OpenSSL. This week, researchers announced that there are serious loopholes in the software, communications and information may result in the user’s exposure to the listener. OpenSSL has existed about two years ago this defect.
Works: SSL standard contains a heartbeat option that allows a computer to connect one end of the SSL issue a brief message, verify that the computer and the other end is still online, and get feedback. The researchers found that the heart can send a malicious message through clever means to deceive the computer and the other end of the disclosure of confidential information. The computer may be affected thereby deceived, and send the information in the server’s memory.
??The impact of the vulnerability so big?
Great, because there are a lot of private information is stored in server memory. Princeton University computer scientist Ed Phil Teng (Ed Felten) said that the attacker can use this technology through pattern matching sort of information, and to find keys, passwords, and credit card number and other personal information.
Lost credit card numbers and passwords much harm, believed to have been self-evident. But the consequences may be more severe stolen keys. This is a set of codes used to organize the information server encrypted information. If an attacker access to the server’s private key, you can read any of the information received, and even fake server using the key to deceive users into disclosing passwords and other sensitive information.
??Who found this problem?
The vulnerability was conducted by researchers Codenomicon and Google security sector independent discovery. In order to minimize the impact, the researchers have the OpenSSL team and other key insiders launched a co-publication of the issue before it is ready for repair program.
??Who can use the “bleeding heart” loophole?
“For people who understand this vulnerability to take advantage of them is not difficult.” Phil Teng said. Exploit the vulnerability of software on the Internet there are many, although the software is not as easy to use iPad application, but anyone with basic programming skills can learn to use it.
Of course, the value of this vulnerability is perhaps the largest intelligence agencies, they have enough infrastructure to expand the scale of user traffic interception. We know that the U.S. National Security Agency (hereinafter referred to as “NSA”) has signed a secret agreement with the U.S. carriers can enter to the Internet backbone. Users may think, SSL encryption technology, such as Gmail and Facebook on the site to protect them from eavesdropping, but it can make use of NSA “bleeding heart” loophole to obtain the private key to decrypt the communication of information.
Although it is not certain, but if the NSA before the “bleeding heart” vulnerability has been discovered this vulnerability made public, it is not surprising. OpenSSL is one of today’s most widely used encryption software, so you can be sure that, NSA security experts have been very carefully studied its source code. ‘
??How many sites are affected?
There is no specific statistics, but found that the vulnerability researchers noted that two of today’s most popular web server Apache and nginx uses OpenSSL. Overall, about two thirds of both total global server site. SSL is also used in other Internet software, such as desktop email clients and chat software.
The researchers found that the vulnerability has been notified a few days ago OpenSSL team and key stakeholders. This allows OpenSSL vulnerability to the day of the publication released a fixed version.To solve this problem, you need to install the latest version of the major sites OpenSSL soon as possible.
??Yahoo spokesman said: “Our team has been Yahoo’s major assets (including the Yahoo home page, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo cuisine, Yahoo Technology, Flickr and Tumblr) successful deployment of appropriate remedial measures We are currently working to repair measures for its deployment to other sites. “
Google said: “We have evaluated the SSL vulnerability, and critical services to Google patched.” Facebook said publicly at the time of the vulnerability, the company has solved this problem.
Microsoft spokesman said: “We are concerned about reports of OpenSSL problem if indeed affect our equipment and services, we will take the necessary measures to protect the user..”
??Users should be how to deal with this problem?
Unfortunately, if you visited the affected sites, users can not take any measures to protect themselves. Administrator of the affected site software needs to be upgraded in order to provide adequate protection for the user.
However, once the affected site to repair this problem, the user can change the password to protect themselves. The attacker may have intercepted the user’s password, but the user can not know whether their password has been stolen by others.
To be honest, I found the OpenSSL bleeding heart loophole for those who declare surprised. When I heard their statement, I think 64 KB of data is not enough to deduce the private key data as a class. At least on x86, the heap is to address the high growth, so I think it can only be read pointer pl read the newly allocated memory areas, such as regional pointer bp points. Storing the private key distribution and other information in the memory area allocated to the memory area as early as pointers pl points, so an attacker can not read those sensitive data.
Soon to be upgraded OpenSSL 1.0.1g version to fix the vulnerability.
Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.
Recent Comments