This story is from April 9, 2014
Panic on web as Heartbleed bug leaves millions of users vulnerable
Web administrators and computer security researchers on Tuesday scrambled to fix a serious vulnerability in OpenSSL encryption used by thousands of web servers, including those run by email and web chat providers.
Web administrators and computer security researchers on Tuesday scrambled to fix a serious vulnerability in OpenSSL encryption used by thousands of web servers, including those run by email and web chat providers.
NEW DELHI: Web administrators and computer security researchers on Tuesday scrambled to fix a serious vulnerability in OpenSSL encryption used by thousands of web servers, including those run by email and web chat providers. The bug, dubbed Heartbleed, “allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software”.
In other words hackers or cyber criminals can use the Heartbleed bug to steal private encryption keys from a server that is using OpenSSL protocols of SSL/TLS encryption and then snoop on the user data, including passwords.There are reports that servers of Yahoo, Imgur and Flickr have been affected. However, this is around two-year-old bug and hence no one knows for sure how many people have exploited it at how many servers have been compromised.
The bug is so serious and widespread that Tor Project, which manages the anonymous Tor network, has advised web users to go offline for a while. “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle,” it said in a blog post.
In a separate note OpenSSL Project said that the bug was discovered by Neel Mehta, a security researcher working with Google. It also said the “affected users should upgrade to OpenSSL 1.0.1g”. The key bit to note here is that by users OpenSSL doesn’t mean the web users but web server administrators who use OpenSSL protocols.
The reason why the Heartbleed bug has caused panic among server administrators and security researchers is because how it affects servers. “This bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously,” explained the Heartbleed website. “Leaked (private) secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”
In an answer to a question — Am I affected by the bug? — the OpenSSL website notes, "you are likely to be affected either directly or indirectly".
“OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS,” noted the website.
In other words hackers or cyber criminals can use the Heartbleed bug to steal private encryption keys from a server that is using OpenSSL protocols of SSL/TLS encryption and then snoop on the user data, including passwords.There are reports that servers of Yahoo, Imgur and Flickr have been affected. However, this is around two-year-old bug and hence no one knows for sure how many people have exploited it at how many servers have been compromised.
The bug is so serious and widespread that Tor Project, which manages the anonymous Tor network, has advised web users to go offline for a while. “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle,” it said in a blog post.
OpenSSL Project has created a website called www.heartbleed.com to inform web users and web masters about the bug.“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” explained a note posted on the website.
In a separate note OpenSSL Project said that the bug was discovered by Neel Mehta, a security researcher working with Google. It also said the “affected users should upgrade to OpenSSL 1.0.1g”. The key bit to note here is that by users OpenSSL doesn’t mean the web users but web server administrators who use OpenSSL protocols.
The reason why the Heartbleed bug has caused panic among server administrators and security researchers is because how it affects servers. “This bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously,” explained the Heartbleed website. “Leaked (private) secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”
In an answer to a question — Am I affected by the bug? — the OpenSSL website notes, "you are likely to be affected either directly or indirectly".
“OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS,” noted the website.
About the Author
Javed AnwerEnd of Article
FOLLOW US ON SOCIAL MEDIA
Hot Picks
TOP TRENDING
Trending Stories
In Tech
Entire Website
- France Sees Surge in International Student Enrollment, Ranks 6th Globally
- Best 50 Inch TV Models: Find Your Perfect Match Across Budgets from Leading Brands
- RR vs GT Live Score, IPL 2024
- QS Rankings 2024: IIM Ahmedabad ranks at 22 among Business & Management Studies institutes globally
- QS University Rankings 2024: Top 10 Business & Management Schools in India
- UPSC IES, ISS Exam 2024 application begins at upsc.gov.in, direct link to apply
- Karnataka 2nd PUC Result 2024 Live: KSEAB class 12 result will be declared in less than 15 minutes
- Raaj Kumar Anand resigns from Delhi cabinet, quits AAP
- Rashtriya Lok Dal (RLD) chief Jayant Chaudhary uses chess to hit Samajwadi Party, says 'offered queen to checkmate the king'
- Love Jihad: ‘Kerala Story’ adds drama to state politics in poll season; BJP leaders 'pleased'
- Delhi minister quits alleging corruption; AAP says he was scared of ED threats
- 'Ready to bear all atrocities for...': Kejriwal's message from jail
- Why ‘new India’ will chase, kill enemies in other countries
- 'Elon Musk may meet PM Modi soon, discuss investment plans'
- 'Virat is one of those guys who...': Agarkar on Kohli's fitness
- HC orders CBI probe into alleged crimes against women in Sandeshkhali
- Kejriwal, CAA, IT raids: Is the US backing BJP’s rivals?
- Big win for PM Modi: 1 in 7 of marquee iPhone models are from India
- Dhoni's instinctive captaincy outshines AI: Agarkar
- 'We will rip you apart': SC refuses to accept Patanjali's apology
Popular Categories
Hot on the Web
Top Trends
RR vs GT Live ScoreVande Bharat TrainIPL Orange Cap Standings 2024Karnataka 2nd PUC ResultStock Market TodayArvind Kejriwal LiveKarnataka PUC Toppers ListBoard Exam Result 2024IPL Orange Cap 2024Purple Cap IPL 2024TS TET 2024IPL 2024 ScheduleHighest Innings Score in IPLLok Sabha Election Full ScheduleIPL Points TableIPL Match Full Schedule
Trending Topics
Diljit DosanjhHappy Chaitra Navratri MessagesNavratri ColoursEid Ul Fitr WishesSiblings Day WishesEID 2024 Mehndi DesignsNavratri 2024 WishesKapil SharmaEID Mubarak WishesRanbir KapoorTamannaah BhatiaAnant AmbaniSara Ali KhanGodzilla X KongKiara AdvaniNita AmbaniBest Top Load Washing MachinesBest 8kg Washing MachinesBest Refrigerators Under 20000Best 50 Inch Tv
Living and entertainment
Latest News
4 myths explain why women are no ‘superwomen’Mohanlal to Mammootty: Mollywood stars extend heartfelt Eid wishesMicrosoft is re-launching these games in ChinaToyota Taisor variant-wise price with features explainedWhy these mobile retail chains are threatening to discontinue sale of OnePlus devices from May 1Elon Musk’s Grok-1 goes open-source: What it means for usersInfosys Foundation grants Rs 33 crore to Karnataka police to fight cybercrimesEx-contestant Arya jokes about BFF Sibin's decision to enter Bigg Boss Malayalam 6, says 'Some people will only learn by experience'Bhagavad Gita: How to attain a state of divine consciousnessRaaj Kumar Anand resigns from Delhi cabinet, quits AAP; 'he was scared', says Saurabh BharadwajIsha Malviya, Manisha Rani to Abhimanyu Dassani: Best dressed celebs at Times Food and Nightlife AwardsSamsung Galaxy S24 vs iPhone 15: Price And Specs ComparisonGovernment to develop plant for recycling lithium-ion batteries, e-waste in UttarakhandNadda to address election rally in Port Blair tomorrowNadda to address election rally in Port Blair tomorrowWhen baby Alia Bhatt expressed her desire to become a starMaruti Suzuki Swift, Grand Vitara to get costlier from April 10: Here's by how much7 get lifer for killing truck driver, cleaner during highway robbery in Bulandshahr
Copyright © 2024 Bennett, Coleman & Co. Ltd. All rights reserved. For reprint rights: Times Syndication Service