SSL may be one of the more secure protocols that everyone touches.

SSL may be one of the more secure protocols that we have in contact with, and the SSL security protocol is used to see a Web site with a https://start. OpenSSL, a security protocol that provides security and data integrity for network traffic, encompasses the main cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides rich applications for testing or other purposes. OpenSSL is an open source SSL implementation, used to achieve high intensity encryption of network communications, and is now widely used in various network applications.

In other words, OpenSSL is the biggest sales lock on the Internet. Yesterday, there was a problem with the lock. OpenSSL exposes significant security vulnerabilities-"Heartbleed bugs". Researchers at Google and cyber security Codenomicon found a bug in the OpenSSL Heartbleed module:

Simply put, hackers can use HTTPS (there is this vulnerability) of the Web site attack, each read the server in memory 64K data, repeated acquisition, memory may contain the user HTTP original request, user cookie or even plaintext account password. We often visit the Alipay, micro-letter, Taobao and other websites also exist this loophole. And more users test the world's most popular 1000 sites, the results 30%~40% have problems.

Beyond that, there are other reasons why this loophole is being taken seriously by so many people:

This loophole has been around for a long time, but only yesterday was exposed. So it's hard to estimate how many websites and how many users ' data are being stolen. This vulnerability is easily exploited by hackers. Leave no trace. This is probably the most critical issue, the site does not know who is stealing user information, it is difficult to pursue legal liability.

The official name of the loophole is cve-2014-0160. This vulnerability affects the OpenSSL 1.0.1 version to 1.0.1f. Older versions of 1.0.1 were unaffected. OpenSSL has released a 1.0.1g version to fix the problem, but the site will take some time to upgrade the software. However, if the site is configured with a feature called "Perfect Forward Secrecy," the impact of this vulnerability will be significantly reduced. This feature changes the security key so that even if a particular key is obtained, the attacker cannot decrypt past and future encrypted data.

How do I respond to this vulnerability?

Personal User Defense recommendations:

Each website repair this loophole may need 1-3 days time, some quick response website such as Taobao, micro-letter and so on may repair faster. As long as the vulnerability of the site to repair the completion of the landing. Of course, if you still don't trust, you can also click here or click here to see if you want to log on the site is safe. Users who have accidentally logged on to these sites can modify the password.

In addition, pay close attention to financial reports in the next few days. Because an attacker can obtain credit card information in the server's memory, pay attention to the unfamiliar debit in the bank report.

Corporate Defense recommendations: Upgrade to the latest version of OpenSSL 1.0.1g. Users who cannot be upgraded immediately can recompile OpenSSL with the-dopenssl_no_heartbeats switch. The 1.0.2-beta version of the vulnerability will be repaired in the Beta2 version. Of course, do not forget to remind users to change their passwords after the upgrade, reminding cloud service consumers to update SSL key duplicate certificates.