Image Source: Animalnewyork.com |
For those who don’t know, heartbleed is a major bug that is taking a toll over internet and actually short – circuiting our cyber security. Just one flaw in OpenSSL is enough for exposing a number of encryption keys and passwords across the internet that can be misused by attackers. This bug, being long – undiscovered has been slowly causing the damage. This is not a bug that you can ignore, here’s why it is so serious. The advantage of this bug is to the malicious attackers who use it for unraveling the secure data transmission channels which are commonly used by e-commerce sites, banks and other sensitive organizations for stealing their passwords and thus sensitive information.
The “heartbeat” extension of the openSSL which is responsible for maintaining the security of the communication, is affected by this bug. A malicious user sends a request to the web server for some data that might include the passwords, SSL encryption keys etc. with this bug, anyone can read the system’s memory whose OpenSSL software version is vulnerable. The secret keys are thus compromised. Now the attackers can eavesdrop on the channels stealing the data. You can test your site for vulnerability. If it is, you can upgrade your site to OpenSSL 1.0.1g which provides protection against heartbleed. If presently you are not able to upgrade, the OpenSSL heartbeat support can be disabled. Changing passwords is not a nice option unless the site has taken measures against this bug. The researchers who have studied the bug have stated that after exploitation, nothing unusual is observed.