More than half of the businesses that run some kind of network use a security protocol called "OpenSSL" which handles the encryption handshake between the client (usually you as the user) and the server (the data you want).
Recently, a bug in the OpenSSL code was found (apparently known about by the NSA and the lies) called "Heartbleed" that takes advantage of a certain function in the OpenSSL method. Clients periodically send out a "Heartbeat" to the server, which is a chunk of data that has a keyword, and the server responds back with the keyword, as a check to see that the server still has a secure connection to the client. "Heartbleed" takes advantage of this "Heartbeat" function. It sends a keycode, and the LENGTH of the word. The server accepts this word, and responds with the WORD up to the given length. Heartbleed takes advantage of the fact that the server doesnt check that the LENGTH matches the length of the word (a bug in the code). So if the client sends "Giraffe" and tells the server it is 1mb long, the server will respond with 1mb of data starting with the keyword, and filling the rest of the space with other chunks of the servers memory. This is very, very, vert bad. With enough heartbleed attempts, the attatcker sending these can rebuild the servers memory on its side. This can include usernames, passwords, addresses, credit card numbers, or anything else stored on the server.
The problem lies with the popularity of the OpenSSL method. It is used by practically everyone. So overnight, almost the entire internet became insicure. This has a huge effect on businesses, who would be responsible if/when users data was stolen or recorded.
It will be interesting to watch the business effects as time progresses.
No comments:
Post a Comment