Heartbleed is named after where it was found in OpenSSL's code: an extension controlling something called the “heartbeat.” The heartbeat is a short message exchange that occurs in regular intervals between the user and the server, allowing the server to check that the user is still connected and keep the secure session open.Īn example heartbeat might go something like this: a user's web browser says “Hello, Server? The secret word is 'Mendax' and it is six characters long.” Then the server would respond by echoing, “Got it, the secret word is 'Mendax'.” The connection stays open, and the process would repeat at the next beat.īut because of an error in the heartbeat code, a malicious user could lie to the server, telling it the secret word is longer than it actually is. You might even come out of it with a more robust Internet security regimen.įirst, it helps to understand how the bug works. The deafening klaxons can leave one feeling helpless, but there are still steps you can take to mitigate the damage. Security guru Bruce Schneier has called it “ catastrophic,” saying, “On the scale of 1 to 10, this is an 11.” Plus, since the bug dates back to 2011, it's unclear how long, how frequently, or who has exploited it prior to disclosure. Sites running the affected versions of OpenSSL have actually been more vulnerable than those without this kind of security at all, and admins have been scrambling to patch the software and revoke any encryption keys that attackers may have stole. By now you may have heard that Heartbleed is a major bug in OpenSSL, a cryptographic library used by two-thirds of all servers on the Internet to prevent eavesdroppers from seeing everything you do on the Web, including the usernames, passwords, and credit card numbers you enter while shopping or banking.
0 Comments
Leave a Reply. |