Heartbleed Bug - History and Impact скачать в хорошем качестве

Heartbleed Bug - History and Impact

  / heartbleed101   History On April 7, 2014, it was announced that OpenSSL 1.0.2-beta, as well as all versions of OpenSSL in the 1.0.1 series prior to 1.0.1g had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-2014-0160. The bug is exercised by sending a malformed heartbeat request to the server in order to elicit the server's memory response. Due to a lack of bounds checking, the affected versions of OpenSSL never verified that the heartbeat request was valid, allowing attackers to bring about inappropriate server responses. The vulnerability has existed since December 31, 2011, and the vulnerable code has been in widespread use since the release of OpenSSL version 1.0.1 on March 14, 2012. The bug was named by an engineer at Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public. According to Codenomicon, Neel Mehta of Google Security first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently. The OpenSSL team also credits Mehta as the discoverer. Both allegedly reported the problem to OpenSSL developers before the public disclosure. Impact By reading an arbitrary block of the web server's memory, attackers might receive sensitive data, compromising the security of the server and its users. Vulnerable data include the server's private master key, which would enable attackers to decrypt current or stored traffic via passive man-in-the-middle attack (if perfect forward secrecy is not used by the server and client), or active man-in-the-middle if perfect forward secrecy is used. The attacker cannot control which data is returned, as the server responds with a random chunk of its own memory. The bug might also reveal unencrypted parts of users' requests and responses, including any form post data in users' requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to an attack. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic." Forbes cybersecurity columnist, Joseph Steinberg, described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."   / heartbleed101