{"id":21462,"date":"2014-04-09T02:20:28","date_gmt":"2014-04-09T00:20:28","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=21462"},"modified":"2014-04-09T02:20:28","modified_gmt":"2014-04-09T00:20:28","slug":"the-heartbleed-bug","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2014\/04\/09\/the-heartbleed-bug\/","title":{"rendered":"The Heartbleed Bug"},"content":{"rendered":"\n

\"heartbleed\"<\/a><\/p>\n

If you haven’t heard about The Heartbleed Bug<\/a> yet, here is your chance. \u00a0This page describes it nicely in not too technical detail. \u00a0Let’s get a few quotes to get you started:<\/p>\n

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL\/TLS encryption used to secure the Internet. SSL\/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).<\/p>\n

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<\/p><\/blockquote>\n

That doesn’t just sound nasty. \u00a0IT IS!<\/p>\n

<\/p>\n

Here is a look at how much of the Internet is affected:<\/p>\n

How widespread is this?<\/strong><\/p>\n

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey<\/a>. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. […]\u00a0Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.<\/p><\/blockquote>\n

Also, as to how widespread are the affected versions of the OpenSSL:<\/p>\n

How common are the vulnerable OpenSSL versions?<\/strong><\/p>\n

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems.<\/p><\/blockquote>\n

And it’s not a fresh one either:<\/p>\n

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.<\/p><\/blockquote>\n

So, now that I’ve got your attention, let’s not waste any more time and look for the fixes. \u00a0Check this Linux Weekly News post<\/a> for the list of distributions providing updated packages. \u00a0If you are not using Linux or your vendor hasn’t released the update yet, here is some information from the original OpenSSL Security Advisory<\/a>:<\/p>\n

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately\u00a0upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.<\/p><\/blockquote>\n

You can use this handy tool<\/a> to check if your servers are still vulnerable.<\/p>\n

Your servers should be fine now. \u00a0But just in case you want more information on the issue, here are few more resources for you to check:<\/p>\n