What does the OpenSSL "Heartbleed" loophole mean? How to deal with it?

Source: Internet
Author: User
Keywords Security how to deal with this
Tags communications data data integrity how many how to how to deal with https integrity
Absrtact: SSL may be one of the many security protocols that you have contacted, and you can see that a Web site uses the https://to begin with, which is the SSL security protocol. OpenSSL, however, is a security protocol that provides security and data integrity for network communications, encompassing the main passwords

SSL may be one of the more secure protocols that we have in contact with, and the SSL security protocol is used to see a Web site with a https://start. OpenSSL, a security protocol that provides security and data integrity for network traffic, encompasses the main cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides rich applications for testing or other purposes. OpenSSL is an open source SSL implementation, used to achieve high intensity encryption of network communications, and is now widely used in various network applications.

In other words, OpenSSL is the biggest sales lock on the Internet. Yesterday, there was a problem with the lock. OpenSSL exposes significant security vulnerabilities-"Heartbleed bugs". Researchers at Google and cyber security Codenomicon found a bug in the OpenSSL Heartbleed module:

Simply put, hackers can use HTTPS (there is this vulnerability) of the Web site attack, each read the server in memory 64K data, repeated acquisition, memory may contain the user HTTP original request, user cookie or even plaintext account password. We often visit the Alipay, micro-letter, Taobao and other websites also exist this loophole. And more users test the world's most popular 1000 sites, the results 30%~40% have problems.

Beyond that, there are other reasons why this loophole is being taken seriously by so many people:

This loophole has been around for a long time, only yesterday was exposed. So it's hard to estimate how many websites and how many users ' data are being stolen. This vulnerability is easily exploited by hackers. Leave no trace. This is probably the most critical issue, the site does not know who is stealing user information, it is difficult to pursue legal liability.

The official name of the loophole is cve-2014-0160. This vulnerability affects the OpenSSL 1.0.1 version to 1.0.1f. Older versions of 1.0.1 were unaffected. OpenSSL has released a 1.0.1g version to fix the problem, but the site will take some time to upgrade the software. However, if the site is configured with a feature called "Perfect Forward Secrecy," the impact of this vulnerability will be significantly reduced. This feature changes the security key so that even if a particular key is obtained, the attacker cannot decrypt past and future encrypted data.

How do I respond to this vulnerability?

Personal User Defense recommendations:

Each website repair this loophole may need 1-3 days time, some quick response website such as Taobao, micro-letter and so on may repair faster. As long as the vulnerability of the site to repair the completion of the landing. Of course, if you still don't trust, you can also click here or click here to see if you want to log on the site is safe. Users who have accidentally logged on to these sites can modify the password.

In addition, pay close attention to financial reports in the next few days. Because an attacker can obtain credit card information in the server's memory, pay attention to the unfamiliar debit in the bank report.

Corporate Defense recommendations: Upgrade to the latest version of OpenSSL 1.0.1g. Users who cannot be upgraded immediately can recompile OpenSSL with the-dopenssl_no_heartbeats switch. The 1.0.2-beta version of the vulnerability will be repaired in the Beta2 version. Of course, do not forget to remind users to change their passwords after the upgrade, reminding cloud service consumers to update SSL key duplicate certificates.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.