11 Apr

The Achilles’ heel of OpenSSL

achiles-heel-OpenSSLA hot topic these days is the Heartbleed bug, which could potentially be a gateway to leak massive amounts of personal information. Since the beginning of the week, big players like Yahoo, Canada Revenue Agency, Dell are shutting down parts of their website in order to allow their people to update with the required security patches.

Two years ago a programming flaw was introduced into OpenSSL and since a lot of websites use OpenSSL to achieve security it has exposed a much larger segment than usual.

A bug in the Heartbeat verification protocol inside SSL facilitates the attack, basically all information, usernames, passwords, addresses, credit card numbers, which would normally be protected by SSL Encryption can be decrypted and read. More importantly, since the encryption key can be exposed,

Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed

and an attacker can use the keys to decrypt all past and future encrypted data transfers between the client and the server. Unfortunately, even with all the security patches updated, the traffic intercepted by the attacker in the past will still be vulnerable.

According to heartbleed.com, given that OpenSSL is the most popular open source cryptographic library, a large majority of sites on the web have used it. Popular social sites, company’s sites, e-commerce sites, hobby sites, sites for software, or even sites run by governments are using the vulnerable OpenSSL. Popular email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), VPN appliances (SSL-VPN), firewall and network appliances, and a wide variety of client-side software are also protected by OpenSSL.

Fortunately, it can be fixed, the OpenSSL team has already released a fixed version, and it is important to note that not all versions of OpenSSL are vulnerable. Validate if your version is affected on heartbleed.com and you can take the necessary steps to patch or update your systems.

Some firewall vendors, like Dell SonicWALL, are able to protect vulnerable servers with built-in scanning signatures. Dell SonicWALL appliances with active Intrusion Prevention Services will protect devices and servers that are behind the firewall as of April 8th when Dell SonicWALL released a signature update for the service.

Also, take a look to see popular sites that have already patched the Heartbleed bug and change your credentials.


The New York Times

Share this