Alfred's New Ramblings

Heartbleed bug in OpenSSL

OpenSSL has a bug, the bounds checking for one of the variables were incomplete.  This bug is related to the heartbeat feature to check for the existence of a client.  This XKCD comic is a very popular way of explaining how it works.


Heartbleed bug explained by XKCD comic

Heartbleed Explanation

What it gives out, unfortunately is everything.  Server private keys and othr user sessions. All without being logged!

So now websites that use OpenSSL, the admins are  busy patching their servers, regenerating private keys.  If anyone has a copy of the server private keys, they can decrypt any stored SSL traffic.  Leading to some observers to call for serious discussion about the implementation of Perfect Forward Security.  This is of course not without its additional encryption overhead.

Soon you will need to have a browser plug in or extension to detect Heartbleed bug in the websites that you access.  This is for Firefox and Chrome, link

 Awareness website

Tagged on: ,

Leave a Reply

Your email address will not be published. Required fields are marked *