-
New Bugs Discovered in OpenSSL Encryption20 March 2015 -
Poodle Bug: Mozilla to Disable SSL 3.0 by Default in Firefox 3415 October 2014
-
Poodle Attack: Hackers Could Exploit SSL 3.0 Bug15 October 2014
-
Yahoo Says Some Systems Breached, But Not by Shellshock8 October 2014
-
Hackers Exploit Bash 'Shellshock' Bug With Worms in Early Attacks26 September 2014
- Home
- Internet
- Internet News
- OpenSSL 'Heartbleed' vulnerability lets attackers spy on secure Web traffic
OpenSSL 'Heartbleed' vulnerability lets attackers spy on secure Web traffic
By NDTV Correspondent | Updated: 8 April 2014 15:48 IST
Advertisement
A serious flaw in the implementation of OpenSSL, a fundamental security measure used by millions of websites, could expose sensitive information to attackers, including private messages, login credentials and credit card details. The vulnerability, officially tagged CVE-2014-0160 but also known as "Heartbleed", potentially allows attackers to retrieve entire OpenSSL decryption keys from an affected server, allowing them to decrypt secure communications without leaving any sign of brute-force intrusion.
In addition to stealing names, passwords, and message contents, attackers could also disguise themselves as legitimate users, thus eavesdropping and stealing all data flowing in and out of a vulnerable service.
The flaw is not in the encryption method itself, but rather in the way the OpenSSL implementation manages memory. If an attacker sends a deliberately malformed request to the server, it automatically responds with up to 64kB of data that might contain sensitive information.
The problem was known internally and a fix was being prepared, but security firm CloudFlare published information about it before the fix was ready for general release, in an attempt to promote a fix for their own OpenSSL implementation. Web administrators who rely on OpenSSL might not have time to apply the fix before attackers decide to put the flaw into practice.
OpenSSL versions 1.01 and 1.02 beta are affected. Administrators running 1.01f or earlier are advised to upgrade to 1.01g. A 1.02 beta 2 release will fix the vulnerability in the beta channel, when it is released. Security firm Codeomnicon estimates that at least 66 percent of active sites on the Internet could be affected, in addition to a massive number of email, instant message, virtual private network and various other services.
There is no known evidence of a successful attack on any person or organisation due to the Heartbleed vulnerability.
In addition to stealing names, passwords, and message contents, attackers could also disguise themselves as legitimate users, thus eavesdropping and stealing all data flowing in and out of a vulnerable service.
The flaw is not in the encryption method itself, but rather in the way the OpenSSL implementation manages memory. If an attacker sends a deliberately malformed request to the server, it automatically responds with up to 64kB of data that might contain sensitive information.
The problem was known internally and a fix was being prepared, but security firm CloudFlare published information about it before the fix was ready for general release, in an attempt to promote a fix for their own OpenSSL implementation. Web administrators who rely on OpenSSL might not have time to apply the fix before attackers decide to put the flaw into practice.
OpenSSL versions 1.01 and 1.02 beta are affected. Administrators running 1.01f or earlier are advised to upgrade to 1.01g. A 1.02 beta 2 release will fix the vulnerability in the beta channel, when it is released. Security firm Codeomnicon estimates that at least 66 percent of active sites on the Internet could be affected, in addition to a massive number of email, instant message, virtual private network and various other services.
There is no known evidence of a successful attack on any person or organisation due to the Heartbleed vulnerability.
Comments
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.
Related Stories
Advertisement
Follow Us
-
03:19
Gadgets 360 With Technical Guruji: Something About the Nothing Ear, Ear (a) -
19:21
Gadgets 360 With Technical Guruji: Samsung's New AI Smart TVs, Nothing Ear -
05:23
Gadgets 360 With Technical Guruji: Samsung's New AI Smart TVs -
01:17
Gadgets 360 With Technical Guruji: Tech Tip [April 20, 2024] -
02:05
Gadgets 360 With Technical Guruji: Ask TG [April 20, 2024]
Advertisement
Popular on Gadgets
- AI
- iPhone 16 Leaks
- Apple Vision Pro
- Oneplus 12
- iPhone 14
- Apple iPhone 15
- OnePlus Nord CE 3 Lite 5G
- iPhone 13
- Xiaomi 14 Pro
- Oppo Find N3
- Tecno Spark Go (2023)
- Realme V30
- Best Phones Under 25000
- Samsung Galaxy S24 Series
- Cryptocurrency
- iQoo 12
- Samsung Galaxy S24 Ultra
- Giottus
- Samsung Galaxy Z Flip 5
- Apple 'Scary Fast'
- Housefull 5
- GoPro Hero 12 Black Review
- Invincible Season 2
- JioGlass
- HD Ready TV
- Laptop Under 50000
- Smartwatch Under 10000
- Latest Mobile Phones
- Compare Phones
Latest Gadgets
- HMD Pulse
- HMD Pulse+
- HMD Pulse Pro
- Realme Narzo 70x 5G
- Realme Narzo 70 5G
- Samsung Galaxy C55
- Blackview Hero 10
- Oppo K12
- Lenovo IdeaPad Pro 5i
- Asus ZenBook Duo 2024 (UX8406)
- Realme Pad 2 Wi-Fi
- Redmi Pad Pro
- boAt Storm Call 3
- Lava ProWatch Zn
- Samsung Samsung Neo QLED 8K Smart TV QN800D
- Samsung Neo QLED 4K Smart TV (QN90D)
- Sony PlayStation 5 Slim Digital Edition
- Sony PlayStation 5 Slim
- Lloyd 1.5 Ton 3 Star Inverter Split AC (GLS18I3FOSEW)
- Haier 1.5 Ton 3 Star Triple Inverter Split AC (HSU18K-PYSS3BN-INV)
- About Us
- Sitemaps
- Feedback
- Archives
- Contact Us
- RSS
- Advertise
- Career
- Privacy Policy
- Ethics
- Editorial Policy
- Terms & Conditions
- Complaint Redressal
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
