Heartbleed: An OpenSSL vulnerability

Lately a bug in encrypted communications has become a great cause of concern. The security flaw, called “Heartbleed,” has currently attacked several editions of the popular OpenSSL cryptographic software library that enables implementation of SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols in websites to encrypt sensitive information. Since Internet security is mainly dependent on SSL and TLS encryption, this flaw, if exploited could enable attackers to monitor every activity between a user and a website.

According to a description posted o Heartbleed.com, “This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs),”

Computer security experts who discovered the bug also said, “This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.” They further added that the level of the vulnerability could be extreme, as majority of today’s operating systems are assumed to have affected version of OpenSSL. The operating systems that might have the infected OpenSSL version include, Ubuntu 12.04.4 LTS, Debian Wheezy, Fedora 18, NetBSD 5.0.2, OpenBSD 5.3, FreeBSD 8.4, OpenSUSE 12.2, and CentOS 6.5.

This latest security flaw in OpenSSL can be misused to expose the content of a confidential-message, like any financial transaction over HTTPS. It compromises the secret keys that are used to encrypt web traffic, the names and passwords of the users along with the communication. The worst part is it won’t leave any single trace that a website or any information has been compromised or hacked. That’s why; the computer security experts have advised all the appliance vendors, operating system vendors and distribution, independent software vendors, and administrators to deploy the latest version of OpenSSL as fast as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *