Heart Bleed Bug – a Major OpenSSL Security Leak

Heart Bleed Bug – a Major OpenSSL Security Leak

There’s been a major security leak about SSL, called Heart Bleed Bug which affects about 2/3 of the servers on the internet. Apache and Nginx, two major open source web servers, have combined market share over 66% (Netcraft’s April 2014 Web Server Survey). They are the primary users of OpenSSL.

1. Why is Heartbleed Bug So Serious?


The problem is that it allows stealing information that is protected by SSL/TLS encryption. SSL/TLS provides protection for email, instant messaging, web, etc. Heartbleed bug makes it possible to steal protected data such as usernames and passwords, but also emails, instant messages and business communication, etc.

Ronald Prins of security firm Fox-IT tested the bug and wrote about it in Twitter:

Ronald Prin tweet about Heartbleed Bug

He told that he ran the bug for 5 minutes and got 200 Yahoo usernames and passwords. Yahoo has already fixed the primary vulnerability on its main websites (The Epoch Times), but I just wanted to give you an example of what the Heartbleed can do.

2. Why is Heartbleed Bug unique?


Other bugs just come and go, and each next version fixes them so not much problem with them. However, Heartbleed bug leaves a vast amount of private data exposed to the Internet for a long period. “As long as the vulnerable version of OpenSSL is in use it can be abused,” the website states. To read more detailed review about Heartbleed Bug, visit Heartbleed.com

3. Protect Yourself.


Open your browser settings and turn on the function that revokes any SSL certificates that you may have. When a certificate is issued to a secure website, this certificate contains data that allows your browser validate that the certificate was not issued in error or has been compromised. In other words, it is checking if the certificate has been revoked by the company who issued the certificate.

3.1. Google Chrome:

Open Settings of your browser and scroll down until you find +Show advanced settings.

Google Chrome Settings

Open Advanced Settings and scroll down until you see HTTPS/SSL subtitle. Under it check the box “Check for server certification revocation.”

Google Chrome certification revocation

3.2. Firefox

For more information visit Mozilla: Using Certificates

3.3. Safari

Bring up Keychain Access and go to Preferences. (If you can’t find it, search „Keychain“ using the command-space bar). Now hold down the Option Key and check„Require for all certificates“.Safari Keychain Access

3.4. WordPress

There is a new security update available (08.apr. 2014) so make sure to update all your WordPress websites too.

4. Conclusion: If You Are Vulnerable


There is also a web-based test at http://filippo.io/Heartbleed/ where you can check if you are vulnerable. Just type in your website address and that’s it.

Read more: OpenSSL “heart bleed” bug live blog

 

Leave a Reply

Your email address will not be published. Required fields are marked *