ღ If you haven’t heard about this very serious Internet security flaw, don’t click away from this screen until you read this information. Ignoring this may not be in your best interest. ♥
There is a major flaw in the security of the World Wide Web named Heartbleed; it’s so serious it has Internet security teams, business organizations and some individuals scrambling to close the leak. I posted a message about this on my SkillfullDesign blog 3 days ago but there are still a lot of people in the dark about this problem and how it affects them.
A massive vulnerability has been found in OpenSSL, the open-source software package routinely used to encrypt secure Web communications. On a 1 to 10 scale of serious Internet security concerns, this one rates a 9.5.
The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption, which is used to protect Internet communications to many financial institution applications, e-mail communications, instant messaging (IM) and some virtual private networks (VPNs). Anytime you notice your web browser display https://www.yoursite.XXX instead of http://www.yoursite.XXX, you are connected through supposedly secure communications.
What this means to many Internet users, they have had their security information (passwords – bank account numbers – social security numbers and credit card information grabbed and it may be used by someone to gain unauthorized access. All passwords, private communications and even credit card information could be available to hackers courtesy of this newly discovered bug.
What must you be aware of and what steps should you take.
The Heart Bleed virus has been affecting millions of websites on the Internet for two years, but there are ways to protect yourself from the bug. You need to check the sites you use against the list of known compromised sites. If a major website is still vulnerable to the Heart Bleed bug, changing a password won’t matter. If your site passes, change your password. Be sure to test anything you do on-line connected with payment or financial information. If you don’t connect to your bank on-line, there’s no need to test. If you use email, social media web sites such as Facebook for example, then check them by entering their address.
Click on this link to find out if any web site you use & requires a password is vulnerable to an attack.
Watch this video if you want to learn more.
What’s an SSL heartbeat?
The Heartbeat Extension is a protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. It’s a check to see if the connection on the other end is still present or if they’ve dropped off. When they’re still there, the heartbeat keeps the session context between the peers alive. Without the heartbeat, the only way to do this is through a communication renegotiation which creates higher data usage and thus slower transaction rates.
The compromise came about through the packet buffer size. There was no length check for this particular allocation and an attacker could force the Openssl server to read arbitrary memory locations. An attacker can control the heartbeat size and structure it to be larger than expected, initiate it to the target server using TCP on port 443 and receive a response that contains up to 64kb data in a memory allocation outside the bounds of what the heartbeat should be able to access. Do it again with a different heartbeat size, get another 64kb response from another memory space. This raw information may reveal the username and/or password.
What versions of the OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable