OpenSSL serious loophole, directly endanger Internet users ' property and personal information security

Most of the existing legal measures are subject to ex post facto constraint, which is not a problem that can be solved by simple legislation. In the event of a lawsuit, a class action is generally formed, but there are still many difficulties to be solved in the jurisdiction and the degree of compensation. Opening any web site that starts with any "https://" means you open a Web site that uses the SSL security protocol. This protocol is used to improve the data safety factor between applications and encrypt data to conceal the transmitted data. As one of the implementation forms of this Protocol, OpenSSL is the most widely used SSL service software.

Simply put, OpenSSL adds a virtual "lock" to the various account passwords you enter on the site. This "lock" is now used by more than two-thirds of the world's web sites.

On April 9, OpenSSL the worst security breach of the year. Use this loophole, the hacker sits in front of the computer of own home, can get to all "https://" the user that begins the website to login account password in real time, include information such as net silver, email etc.

Because of the huge impact, the flaw was named "Heartbleed" by the exposed person, meaning "heart bleeding."

The National Internet Emergency Center issued an advance bulletin on April 10, saying that because of the wide range of OpenSSL applications, including government, financial securities and university websites, E-commerce, instant chat, online payment, office systems, mail systems and many other service providers may be affected by the vulnerability, Directly endanger the Internet user property and personal information security.

The most serious security breach of the year

OpenSSL's history can be traced back to the Ssleay that Eric Young built. Although Matthew Green of Johns Hopkins University in the United States has derided it as a project to teach you to learn to divide the numbers, the encryption algorithms have been tightly controlled by the US government.

Years of accumulated and familiar features Bao OpenSSL smoothly to popularity, but we have only just come into contact with many of these deep holes that are not known.

According to the National Internet Emergency Center Bulletin, OpenSSL is an open source of SSL service software, is used to achieve network communication encryption and authentication. The software includes major cryptographic algorithms, commonly used keys, management functions for certificate encapsulation, and SSL protocols, and provides rich applications for testing or other purposes.

National Information security vulnerability Sharing Platform (CNVD) analysis, products affected by this vulnerability include: OpenSSL 1.0.1-1.0.1f version, the remaining version is not affected. Comprehensive test results, some large internet companies at home and abroad related VPN, mail services, instant chat, network payments, E-commerce, authorization and other servers are vulnerable to vulnerability, in addition to some government and university Web servers are also affected.

CNVD member Unit Qihoo 360 security expert Dr Shi Xiaohong said OpenSSL this vulnerability could be called a "network bomb" because a lot of privacy information is stored in the Web server's memory, no matter how secure the user's computer, as long as the site uses a flawed version of the OpenSSL, When a user logs on to the site, the hacker may be able to monitor the login account and password in real time.

In CNVD's comprehensive rating, the flaw was rated as "high-risk".

Some statistical data can also show the potential impact of this vulnerability. Qihoo 360 scanned the country's 1.2 million authorized websites and found that 11,440 Web sites were affected by the vulnerability. April 7, April 8, a total of about 200 million netizens visited the site with OpenSSL vulnerabilities.

And since OpenSSL is the default TLS certificate for both Apache and Nginxweb servers, experts estimate that up to two-thirds of the world's "safe" sites can easily be attacked by this vulnerability.

In fact, the signs of attack have emerged. National Internet Emergency Center reported that the current Internet has been the attack on the vulnerability of the use of code, is expected in the recent attack on the vulnerability will be a surge trend, the Web service providers and users of the damage will be further expanded.

At the same time, OpenSSL launched OpenSSL 1.01g this year April 7 to fix the loophole. At present, a large number of domestic web sites are urgent to update software to repair vulnerabilities.

However, at this time from the release of the defective software of March 12, 2012 has been more than two years, whether the account information is stolen can not be evaluated.

Who should be responsible for information disclosure

If a user logs on to a Web site that uses the flaw agreement, causing the information to be stolen and the loss incurred, who should be responsible for the loss? This is the next issue we may face.

Zhu, a researcher of Internet law experts and the Center of Communication Law of CESL, believes that the legal liability involved in the incident includes two aspects: one is to steal the information, that is, the legal liability of hackers The former is stipulated in Chinese criminal law and related judicial interpretation, while the latter is more complicated.

"According to data, the vulnerability was revealed two years ago, and hackers can illegally acquire up to 64K of data on vulnerable servers, which are enough to capture sensitive information about individuals, including property data." Zhu to "Legal daily" reporter analysis.

He introduced, in the network transaction, the transaction website has the duty to protect the user information security, this is originates from "the user agreement" the stipulation and the transaction good faith responsibility constituent. Once the user has been compromised, the website should bear the civil liability including breach of contract and tort liability.

"However, the site may also have defences, there are mainly three kinds, respectively, the defences of exemption clauses, the defences of force majeure and the plea of obligation to be fulfilled." "Zhu said.

In this regard, China University of Political Science and law, the Intellectual Property Center special researcher Zhao occupy that the reason for the dispute majeure is the most controversial.

"Is the site responsible for the damage that was discovered before?" The issue may need to be discussed. Because this is not the site's own vulnerabilities, but the site has adopted this common domestic and foreign protocol standards, and the protocol itself is a loophole in the standard, which for the site is unpredictable. Whether this is a force majeure or not, I am not sure now. Zhao occupation to "legal daily" reporter said.

Zhu that in this case, the plea of force majeure is not tenable. "Viruses, vulnerabilities or hacker attacks in the network world, its destruction and frequency can not be expected, the general theory that, to a certain extent, the site can be based on force majeure exemption." However, in this case, the SSL vulnerability was two years ago, in a period of up to two years, the site did not do a reasonable duty of care, and therefore can not be exempted by force majeure. ”

However, there is not much controversy over the loss to the user after the vulnerability has been discovered. Zhao occupation that, if the site in the leak after the discovery did not take measures in time, resulting in further expansion of user losses, the site will undoubtedly be liable for compensation.

How to defend the rights if the loss occurs

Even after the loss of users have space for protection, but was asked whether there are successful cases, more than accept the "legal daily" reporters interviewed by experts did not give a positive answer.

"In practice, I have heard only one case of prosecution, not yet sentenced: a hotel in Zhejiang Wi-Fi Management, certification system, due to the existence of loopholes and lead to user information leakage, was prosecuted to the court, recently filed, the results have not come out. "Zhao Conquest" introduced.

Most of the cases failed to move to the prosecution.

Zhao Occupation Analysis, the main reason is that the evidence is too difficult, the general user simply can not prove the information is through which channel leaked, because the general user of this information in many places are visible, so it is difficult to prove. The only way is to wait for the public security organs to file, find the criminal suspects, to ascertain exactly which channel leaked.

He introduced, once ascertained, if is the website itself or internal staff leakage, the Criminal Law Amendment (VII) has the stipulation "the illegal Disclosure citizen personal information" the crime. This was the case in which telecommunications companies and Alipay companies leaked user information. If the site is a passive leak, the situation is more complex as described above.

Zhao Occupation believes that the existing legal measures are mostly after the ex-post restraint, this is not a simple legislation can be solved.

"Like the current" telecommunications and Internet users personal information protection provisions, tort law and so on have relevant provisions, but can not solve the civil compensation in the problem of forensics, so there are few victims to sue. Zhao occupation thinks, this kind of predicament is rooted in our country's electronic evidence cognizance to have the very big flaw.

In the case of OpenSSL, Zhu that if there is a lawsuit, it will usually form a class action, but there are still many problems to be solved in the degree of jurisdiction and compensation.