Is there is solution for Heratbleed
Who is responsible for all of this ?
The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren't using OpenSSL.
The Heartbleed bug (known as CVE-2014-0160) is a very serious bug in the openSSL library, which is the security library used to secure communications between computers for many different reasons – examples of openSSL usage include SSL certificates used one webservers (the padlock which indicates an encrypted connection), TLS communications between servers and email collected or sent over secured connections using ‘secure protocols’.
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they're sending online is hidden from prying eyes.
But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?
A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.
"Half a million websites are vulnerable, including my own," wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a "catastrophic bug" in OpenSSL because it "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software." It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. "This means anything in memory--SSL private keys, user keys, anything--is vulnerable."
Seggelmann takes the blame for introducing the flaw into OpenSSL two years ago by mistake when he sought to add new features. An article quotes him as saying, he "missed validating a variable containing a length," and this oversight, "though trivial," was a simple error.
Is the mistake with this enormous consequence to the whole of Internet security an indictment of the open-source code-vetting process? Responses to that question are mixed.
*"A mistake was made and quickly corrected," says Glenn Dodi, senior director, security intelligence and research labs, ThreatTrack Security. Software has bugs all the time, he points out. "Given enough time, effort and money, someone can find a vulnerability in nearly every piece of software. After all, humans are the ones who coded it."
*Cybercriminals could exploit the bug to access visitors' personal data as well as a site's cryptographic keys, which can be used to impersonate that site and collect even more information.
major sites, including Tumblr.
It's not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don't typically publicize whether they're using OpenSSL, so the process will also be bumpy for consumers.
The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren't using OpenSSL.
The Heartbleed bug (known as CVE-2014-0160) is a very serious bug in the openSSL library, which is the security library used to secure communications between computers for many different reasons – examples of openSSL usage include SSL certificates used one webservers (the padlock which indicates an encrypted connection), TLS communications between servers and email collected or sent over secured connections using ‘secure protocols’.
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they're sending online is hidden from prying eyes.
But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?
A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.
"Half a million websites are vulnerable, including my own," wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a "catastrophic bug" in OpenSSL because it "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software." It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. "This means anything in memory--SSL private keys, user keys, anything--is vulnerable."
Seggelmann takes the blame for introducing the flaw into OpenSSL two years ago by mistake when he sought to add new features. An article quotes him as saying, he "missed validating a variable containing a length," and this oversight, "though trivial," was a simple error.
Is the mistake with this enormous consequence to the whole of Internet security an indictment of the open-source code-vetting process? Responses to that question are mixed.
*"A mistake was made and quickly corrected," says Glenn Dodi, senior director, security intelligence and research labs, ThreatTrack Security. Software has bugs all the time, he points out. "Given enough time, effort and money, someone can find a vulnerability in nearly every piece of software. After all, humans are the ones who coded it."
*Cybercriminals could exploit the bug to access visitors' personal data as well as a site's cryptographic keys, which can be used to impersonate that site and collect even more information.
major sites, including Tumblr.
It's not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don't typically publicize whether they're using OpenSSL, so the process will also be bumpy for consumers.
Comments
Post a Comment
If you have any doubt, Please let me know