Heartbleed Bug is a flaw that happens in OpenSSL ,the open-source encryption standard . Normally most of famous websites and bank's websites there will be security system when a connection - Transfer data between us and the sites all data will encrypted into numbers or letters that people cannot understand . And we must have the right decoding key to be able to change the encrypted data back to normal again . But this Heartbleed bug flaw making hackers can break through security systems and able to get Username Password can post update or transactions all under our names .
"This flaws might one of the most dangerous leak in the history of internet "
*SSL = Security Sockets Layer is the main principles of security used a mathematical model to calculate, easy to understand .
*TLS = Transport Layer Security is a protocol that ensures privacy between communicating applications and their users on the Internet. When communicating between client and sever TLS ensures that no third party eavesdrop or interfere with any information. It is something thats similar to SSL but newer version.
*TLS = Transport Layer Security is a protocol that ensures privacy between communicating applications and their users on the Internet. When communicating between client and sever TLS ensures that no third party eavesdrop or interfere with any information. It is something thats similar to SSL but newer version.
Heartbleed Bug 's OpenSSL vulnerability , which is a software that is widely used as the basic software for SSL / TLS encryption to send data, HTTPS, VPN and other traffic encryption .
Discovered vulnerabilities Heartbleed considered " punch in the heart " destroy the credibility of the data transmission through SSL/TLS drastically (in proportion to the OpenSSL) because accession to data that we used to think it's safe is not as safe as we previously thought. And OpenSSL controls around 66% of websites on the internet.
(National Security Agency or NSA got mocked that they use this heartbleed bug to get citizen's privacy zone too )
Public key is sent out to the public, such as the Internet (in terms of security is untrusted space) the private key will be stored only in user's devices (perceived as trusted or. safe space)
When A wants to send information to B under this encoding the public key of A to B (on the Internet) mixed with the "data" that want to be sent. For not to be read by anyone else except the B that has the pair of keys which is private key that is with B.
Reliability of this kind of data encryption depends on reliability in keeping the private key that use to be a tool to encrypt the code .
Certification process requires a "middleman " in order to confirm the identity . The middle man is being called (Certification Authority or CA) supporting the entire process . And we call all this as Public-Key Infrastructure or PKI
(National Security Agency or NSA got mocked that they use this heartbleed bug to get citizen's privacy zone too )
Basic encryption
First, we must understand the basics of data encryption first. Encryption in the present is often used "Asymmetric key pair" which is a randomly generated key out two simultaneously (Private and Public keys)Public key is sent out to the public, such as the Internet (in terms of security is untrusted space) the private key will be stored only in user's devices (perceived as trusted or. safe space)
When A wants to send information to B under this encoding the public key of A to B (on the Internet) mixed with the "data" that want to be sent. For not to be read by anyone else except the B that has the pair of keys which is private key that is with B.
Reliability of this kind of data encryption depends on reliability in keeping the private key that use to be a tool to encrypt the code .
The operation of SSL / TLS
How SSL / TLS work is based on the concept of asymmetric encryption key pair . But the concept of " certificates " up to confirm the identity of the recipientCertification process requires a "middleman " in order to confirm the identity . The middle man is being called (Certification Authority or CA) supporting the entire process . And we call all this as Public-Key Infrastructure or PKI
The HeartBleed problem
The standard of SSL/TLS will have one option called "Heart Beat" to make computer of either side send short message to computer at another side to check that its still online .
And the problem of Open-SSL that we call heatbleed is that Open-SSL make a mistake open a chance for computer in another side can send message in special format , when the other side receive this message it will send the extra data back (that's in the memory)
Effects of Heartbleed bug
Heartbleed was fixed in the lastest version of OpenSSL already which is just by updating version or install patch.
But the point is nobody knows that how many private keys that passed through OpenSSL since 2012 by Heartbleed bug and what websites that got hacked.
When the private key is leaking out now it makes the data thats using this key not safe (such as websites password , Credit card number). The hackers will be able to access to our information and do anything like they are us. Probably all the OpenSSL websites got affected unconsciously.
And these are some websites that have to change the password or should change the password .
- Facebook - did not find evidence that it got hacked using this bug.But it is recommended that users should change their password.
- Tumblr - did not find the evidence. Recommended to change password.
- Google - Google said that it got affected for some services, such as Gmail, YouTube, Play, Apps, App Engine but not for Chrome, Chrome OS.
- Yahoo! (Including Yahoo mail)
- Amazon Web Services
- GoDaddy
- Dropbox
- LastPass
- SoundCloud
To prevent this bug we should change all the OpenSSL websites passwords to make sure that its safe.
What do I learn from this
This bug was found since 2012 but it was ignored and now in 2014 somebody hacked the bank account and it becomes a big topic to talk about on the social world again . This problem teaches us that we always overlook something that we thought it wasn't something so necessary to care about and see how important it is when it cause a problem . Now it is hard to fix this bug now because we dont know how many websites got affected and how many private keys are leaked out (Match with this proverb "lock the stable door after the horse has bolted")Deep detail explain about HeartBleed bug
Citations
http://www.youtube.com/watch?v=hTK0pywfmDE
"OpenSSL Heartbeat (Heartbleed) Explained (BEST ON YouTube!) Steals Credit Card INFO." YouTube. YouTube, 08 Apr. 2014. Web. 22 Apr. 2014.
http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html
"How Does Secure Socket Layer (SSL or TLS) Work?" LuxSci FYI How Does Secure Socket Layer SSL or TLS Work Comments. N.p., n.d. Web. 22 Apr. 2014.
http://www.businessinsider.com/heartbleed-bug-explainer-2014-4
Russell, Kyle. "Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet." Business Insider. Business Insider, Inc, 08 Apr. 2014. Web. 21 Apr. 2014.
http://heartbleed.com/
"The Heartbleed Bug." Heartbleed Bug. N.p., n.d. Web. 21 Apr. 2014.
http://en.wikipedia.org/wiki/Heartbleed
"Heartbleed." Wikipedia. Wikimedia Foundation, 20 Apr. 2014. Web. 20 Apr. 2014.
http://www.youtube.com/watch?v=8oI_laHhGjE
"What Is the Heartbleed Encryption Bug?" YouTube. YouTube, 10 Apr. 2014. Web. 22 Apr. 2014.
https://www.youtube.com/watch?v=SJJmoDZ3il8
"SSL Certificate Explained." YouTube. YouTube, 28 Jan. 2011. Web. 22 Apr. 2014.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
"The Heartbleed Hit List: The Passwords You Need to Change Right Now." Mashable. N.p., n.d. Web. 21 Apr. 2014.
No comments:
Post a Comment