eITWebguru

Even Secure is not Secure anymore: Heartbleed bug

Mike Apache, Internet, Security April 12, 2014

heartbleed bug

Heartbleed Bug: All you want to know about

Till now, whenever we did any transaction on Internet whether it will be online shopping or doing money transfer using online banking or logging into Gmail or Facebook we have always checked the LOCK heartbleed lock , which gave us an assurance that all our transactions and information we have entered are secured and safe behind a strong encryption technology. It doesn’t matter who you are, you could be Technology Expert or a business man or a normal human having access to internet, everyone just trusted this lock.

What this LOCK heartbleed lockmeans?

Before going to main topic I would like to explain (in brief) about the lock as its important for everyone to know about it. If we ask anyone in general about the lock they will say Lock represents Secured i.e. “https” but there is big technology working behind this secured channel to make it secure which is known as SSL (Secured Socket Layer), this is protocal which is commonly used for the security of data transmission over the network (Internet or any other network). It basically encrypts all the data you send on Internet and this data will only be read by the server who knows its decryption code (or key).

Below flow chart shows by Powersolution explain How SSL works in detail

SSL-flowchart

What is Heartbleed?

The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This bug was discovered by a member of Google’s security team and a software security firm called Codenomicon. The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages. So, I can say that all the information you have entered on website by trusting LOCK is now no more secure and anyone can read the data you have entered like Creditcard Number, Passwords, email address, Account numbers etc.

Check the below video by http://mashable.com Explaining HeartBleed bug

How to Protect

Users:
As this bug is first discovered by the researcher we can a bit asure that our information is safe but its hard to say if hackers or someone exploited the bug already before or not.

So, Internet users first have to identify if the website you are using is affected or not. You can check Text file uploaded on GitHub contains the list of websites vulnerable & affected by this bug. If you don’t want to check the huge list you can visit HeartBleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug. If the site is vulerable, please change the passwords immidialty.

For Server Owners & System Admins:
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. To fix the bug you can upgrade to OpenSSL 1.0.1g or if its not possible for you to upgrade right now you can re-compile the OpenSSL with -DOPENSSL_NO_HEARTBEATS option.

Visit heartbleed.com for more and latest updates for the bug

Tags: , , , ,

About: Mike

Milind Koyande loves to work on new technologies specially virtualization and troubleshoot server problems. I’m an avid photographer and love to spend my free time close to nature, trying to capture its glory on my camera.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.