14 DAY TRIAL // Researchers have discovered an extremely dangerous bug in the cryptographic software library used by about two thirds of the world’s web servers. The bug allows anyone who wants to exploit this security crack to gain access to passwords, financial data, and anything else that may be hidden behind encryption.
The bug in OpenSSL could also expose the cryptographic keys and private communications for a lot of important sites and services on the Internet. It is advisable that if you’re running a server with OpenSSL 1.0.1 through 1.0.1f to update to OpenSSL 1.0.1g immediately, as the fix has already been completed.
While versions of OpenSSL prior to version 1.0.1. are unaffected, the bug has still been around for about two years before being discovered, more specifically since March 2012.
The bug is officially being referred to as CVE-2014-0160, but has been named Hearbleed because it is located in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension.
Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL without ever leaving a trace on the servers.
“We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” reads a website dedicated to the bug.
Considering the long exposure and the ease of exploitation, as well as the fact that no one has any idea if there have been any attacks due to the fact that there are no traces to be left, this bug becomes an extremely dangerous one.
While other bugs have been fixed by various updates, this one has remained undetected until Neel Mehta from Google Security discovered it, along with security firm Codenomicon.
A patch for the bug has already been made available, but many users of the protocol may take a while before rolling it out, leaving users exposed. If hackers did not known about the issues beforehand, they certainly do now.
“OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services,” the team warns.
In fact, since most notable pieces of software using OpenSSL are the open source web servers such as Apache or nginx, which have a market share of 66 percent of all active sites on the Internet, this is perhaps one of the most widespread bugs affecting security at such a level.