OpenSSL exposure to major vulnerabilities can lead to password theft

Source: Internet
Author: User
Keywords OpenSSL password stolen.
"TechWeb Report" April 9 News, today's security protocol OpenSSL a serious security breach, the security vulnerability is called Heartbleed. A leak may result in the theft of personal information such as the password, credit card number, and so on. OpenSSL exposure to major vulnerabilities can lead to password theft (TechWeb map) It is understood that the OpenSSL flaw is that the use of some of the latest OpenSSL version of the Web server will store some data that is not protected by memory. Hackers can retrieve the data, reconstruct information about the user or key, and obtain the user's encrypted data. OpenSSL the message of a loophole, many websites unprepared, failed to take remedial measures in time to OpenSSL problems, the United States news website Vox Author, the Heartbleed loophole for a comprehensive interpretation. This includes: What is SSL? SSL is a popular encryption technology that protects the privacy information that users transmit over the Internet. When a user visits a secure Web site such as gmail.com, a lock is seen next to the URL address, indicating that your communication information on the site is encrypted. This lock indicates that no third party can read any communication between you and the site. In the background, data encrypted with SSL can only be decrypted by the receiver. If the Outlaws listen to the user's conversation, they can only see a string of random strings, not the details of emails, Facebook posts, credit card accounts, or other privacy information. SSL was first introduced by Netscape in 1994 and has been adopted by all major browsers since the 1990. In recent years, many large network services have tacitly used this technology to encrypt data. Today, Google, Yahoo and Facebook are using SSL to encrypt their Web sites and network services by default. What is a heart bleed? Most SSL-encrypted Web sites use an open source package called OpenSSL. In Monday, researchers announced a serious flaw in the software that could lead to the disclosure of user communications to listeners. OpenSSL has existed this flaw about two years ago. How it works: The SSL standard contains a heartbeat option, allowing the computer at the end of the SSL connection to send a short message confirming that the computer on the other end is still online and getting feedback. The researchers found that it was possible to send malicious heartbeat messages through ingenious means, deceiving computers on the other end to divulge confidential information. The affected computer may be cheated and send information in the server's memory. The impact of this vulnerability is not large? is large because there are a lot of privacy information stored in server memory. Aide Furten, a computer scientist at Princeton University, said that attackers using the technology could classify information by pattern matching to find the key, password, and personal information such as credit card numbers. The loss of credit card number and password of how much harm, I believe has been self-evident. But the consequences of a stolen key mayMore serious. This is a set of code that the information server uses to organize encrypted information. If an attacker acquires the private key of the server, he or she can read any information it receives, or even use the key to impersonate the server and deceive the user into revealing passwords and other sensitive information.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.