Analysis OpenSSL bleeding heart the most dangerous site security vulnerabilities

lead: two web server Apache and nginx one of the most popular use OpenSSL. Overall, these two servers accounted for about 2/3 of the total number of global sites


U.S. News website Vox on Tuesday, the day of the release of OpenSSL bleeding heart loophole for a comprehensive interpretation.

below is the full text of the article:

what is SSL?

SSL is a popular encryption technology that can protect the user’s privacy information transmitted over the internet. When the user access to and other security sites, will be in the URL address next to see a "lock", indicating that you are on the site of communication information are encrypted.

this "lock" shows that the third party can not read any communication between you and the site information. In the background, only the recipient can decrypt the encrypted data through SSL. If criminals listen to the user’s dialogue, you can only see a string of random strings, and can not understand the specific content of e-mail, Facebook posts, credit card accounts or other private information.

SSL was first launched by Netscape in 1994, since 1990s has been adopted by all major browsers. In recent years, many large network services have been the default use of this technology to encrypt data. Today, Google, YAHOO and Facebook are using the SSL default on its Web site and network services encryption.

what is a "bleeding heart" vulnerability?

most SSL encrypted sites are using the open source software package named OpenSSL. On Monday, researchers announced that the software has a serious vulnerability that could cause the user’s communications to be exposed to the listener. OpenSSL about two years ago has been the existence of this defect.

working principle: the SSL standard contains a heartbeat option that allows a computer connected to one end of the SSL to send a short message to confirm that the other side of the computer is still online, and get feedback. The researchers found that you can send malicious heartbeat information through clever means to deceive the other side of the computer leaked confidential information. The affected computer may be deceived and sent to the server for information in memory.

the impact of the vulnerability is not great?

is very large, because there are a lot of privacy information stored in the server memory. Princeton University computer scientist Phil Teng (ED · Ed Felten) said that the attacker can use this technology through pattern matching sorting information, and to find keys, passwords, and credit card number and other personal information.

lost the credit card number and password harm how much, I believe it has been self-evident. But the consequences could be even worse. This is information >

Leave a comment