For 2 years Heartbleed, aka CVE-2014-0160, has been affecting the way websites protect information, allowing access to secret, or proprietary data (such as login and credit card information, as well as metadata). When news of its existence hit the mainstream consciousness, a mad scramble toward understanding and subverting the bug was underway, with mass media coverage, online bug-check tools, and an attempt to patch up the exploit.
But what is Heartbleed and what does it attack? How does a coding error allow access to personal information and even enable to NSA to do their work with even more devious ease?
It is important to understand that Heartbleed is not a malicious line of code, floating around the Internet; it is an exploit made possible by coding errors in the OpenSSL design. OpenSSL is a protocol that allows for the basic cryptographic functions of the transport layer security (TLS) protocol. Basically, it allows the transport layer of the Internet, the code that allows us to connect to websites, servers, each other over VOIP applications, chat to one another, even write and post blogs, to function.
Coders are currently working to produce version 1.02 of the OpenSSL protocol that cleans up the issue, but as of now, the bug allows for hackers to send a 'heartbeat', a small packet of data, that prompts the recipient computer to respond with a line of data. This line of data could be any type of personal information, and thus the Heartbleed bug became a silent backdoor exploit for nefarious hackers and surveillance agencies.
While most users will be unable to do anything about the bug, the only afforded safeguard is to change all passwords and check back with your most frequented websites for news of a fix. The real uphill battle is for website owners, who must now wait on a fix in the OpenSSL protocol.
But what is Heartbleed and what does it attack? How does a coding error allow access to personal information and even enable to NSA to do their work with even more devious ease?
It is important to understand that Heartbleed is not a malicious line of code, floating around the Internet; it is an exploit made possible by coding errors in the OpenSSL design. OpenSSL is a protocol that allows for the basic cryptographic functions of the transport layer security (TLS) protocol. Basically, it allows the transport layer of the Internet, the code that allows us to connect to websites, servers, each other over VOIP applications, chat to one another, even write and post blogs, to function.
Coders are currently working to produce version 1.02 of the OpenSSL protocol that cleans up the issue, but as of now, the bug allows for hackers to send a 'heartbeat', a small packet of data, that prompts the recipient computer to respond with a line of data. This line of data could be any type of personal information, and thus the Heartbleed bug became a silent backdoor exploit for nefarious hackers and surveillance agencies.
While most users will be unable to do anything about the bug, the only afforded safeguard is to change all passwords and check back with your most frequented websites for news of a fix. The real uphill battle is for website owners, who must now wait on a fix in the OpenSSL protocol.
No comments:
Post a Comment