Where is the flaw “heartbleed”? Why does it have that name?
The gap is in the functions of “heartbeat” of OpenSSL.
What is OpenSSL?
OpenSSL is a library, ie, software that can be used (“called”) by other software for support the SSL and TLS protocols. OpenSSL is not used directly, but it can be used by a web browser, for example. That way, the browser does not need to create your own functions to get access secure sites (HTTPS).
What is SSL and TLS?
SSL and TLS are the layers of cryptographic security that can protect insecure protocols such as HTTP (web sites ), SMTP, IMAP and POP3 (email), among others. Typically, these protocols when used, your data travels in plain text, ie, vulnerable to interception and reading. When SSL or TLS is used, the content of the communication is encrypted, preventing an intermediate read the connection, even if it has achieved intercept it. On a practical example, anyone can read the data traveling over a Wi-Fi network no password. Now protected by SSL or TLS Content, even when captured, will be all scrambled and can not be read.
What is the “heartbeat”?
Heartbeat (“heartbeat”) is a “patch” for some protocols that do not provide a function permanent connection. An example of permanent connection is a phone call (it remains open even when nobody says anything), but on the internet, which works with packages, a connection can be opened and closed every time data is exchanged. This process of closing and reopening is not very efficient;therefore useful for two computers to create a permanent connection in some cases. Heartbeat is used to keep these “live” connections. The use of it is not mandatory, and most of the sites were not vulnerable had disabled heartbeat.
Which problem that exists in the OpenSSL Heartbeat?
To verify that everything is working properly, there is a heartbeat message standard which requires other end of the connection returns a message like the one he received. The OpenSSL read the received message from memory and returns, as it should do. Yet OpenSSL reads the memory obeying a field of the message that says the size of it. But OpenSSL does not check if the message had the same specified size. The attack, therefore, is to send a message that says “I have 64 KB”, when in fact the message is only a few bytes. The OpenSSL reads 64 KB of memory and returns it to the hacker, allowing reading of the software that makes use of OpenSSL memory.
Why this affects internet sites?
Just as you need to browse the internet with Internet Explorer, Chrome or Firefox, sites that are on the web also need to make use of a program that is “listening” to receive requests and send the pages to browsers. The two most popular software for this function, Apache and Nginx, make use of OpenSSL.
What happens in practice?
OpenSSL When reading the memory of Apache or Nginx, it can end up reading data as passwords on login forms, keys session – which maintains an Internet user logged on the site – as well as his own “private key” used by the server to maintain the security of the connection.That is, a hacker can steal data being processed by the website in real time, 64 KB at a time. This limitation of 64 KB does not mean much, because the hacker can exploit the flaw repeatedly and simultaneously obtaining much of the data being processed. Obtaining the private key, a hacker could unscramble data intercepted, returning to have them in plain text . But even if a hacker does not get the key and is unable to intercept any traffic, direct memory read even allow him astray information.
The problem does not affect browsers?
choose to use web browsers other SSL libraries, ie not make use of OpenSSL and so are not vulnerable to this particular failure. It is also more difficult to exploit browsers, as, unlike servers, they do not get on the internet waiting for external connections. said, the problem, yes, on the platform to Android mobiles. It is not yet clear how the vulnerability could be exploited and the consequences. . The problem in version 4.1 • The gap is really serious security expert Bruce Schneier defined as follows: “on a scale of 0 to 10, we’re 11.” The gap remained open for two years and there is no way of knowing what data may have been stolen during this period. CloudFlare Security firm aired a vulnerable server for testing, challenging experts to extract the private key. The key to success was extracted once more. In other words, the risks are not “theoretical.”
Service providers are guilty?
No. Be vulnerable to this flaw is not a sign of any practice of inadequate security on the part of content providers and providers of online services. The gap existed in the latest version of OpenSSL.
What I can do?
The recommendation is that passwords are changed, but in practice, it is very unlikely that your password has specifically been stolen. Passwords were stolen, no doubt, but nobody knows exactly what. If you have important things in any of the affected services – such as Dropbox, Yahoo Mail, Tumblr and Steam – worth performing a password change. Google, which has been affected, does not recommend changing the password. (This column said last week that Twitter was among the vulnerable services Twitter makes use of OpenSSL, but said it was not affected -.. Probably not make use of the heartbeat) Change passwords on services that are important to you or if you receive a specific recommendation from the service provider. No use changing a password before the fault has been corrected.Remember, this gap is not on your PC. Although in many cases we are accustomed to hear recommendations for Internet users, who this time must deal with the problem are the security teams of service providers. They have full ability to force a password change, if they consider it necessary. No need to “ask” or “recommend.”
Post a Comment