Wednesday, April 9, 2014

Emergency SSL/TLS Patching Under Way

Emergency SSL/TLS Patching Under Way

A "Heartbleed" flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.

The race is on to fix SSL-based websites and software in the wake of a newly revealed and dangerous flaw in the popular OpenSSL library for encrypting HTTP traffic, with nearly one-third of major websites potentially at risk.

OpenSSL released a patch yesterday for a read-overrun bug in its implementation of the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. If exploited, the bug leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and, most alarmingly, the SSL server's private key. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability, which was discovered by security researchersat Google and Codenomicon.

No comments:

Post a Comment