Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers,
consider this: at the moment this article was being prepared, the
so-called Heartbleed bug was exposing end-user passwords, the contents
of confidential e-mails, and other sensitive data belonging to Yahoo
Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL,
the world's most popular code library for implementing HTTPS encryption
in websites, e-mail servers, and applications. The result of a missing
bounds check in the source code, Heartbleed allows attackers to recover
large chunks of private computer memory that handle OpenSSL processes.
The leak is the digital equivalent of a grab bag that hackers can
blindly reach into over and over simply by sending a series of commands
to vulnerable servers. The returned contents could include something as
banal as a time stamp, or it could return far more valuable assets such
as authentication credentials or even the private key at the heart of a
website's entire cryptographic certificate.
No comments:
Post a Comment