ExTS Admin Starbuck Posted April 10, 2014 ExTS Admin Posted April 10, 2014 A critical flaw in OpenSSL has been found. This flaw effects everyone, as it hits the authentication methods of about 2/3 of all webservers. The vulnerability has been named the "heartbleed" bug. The name refers to the heartbeat extension by which it is caused. The heartbeat extension usually serves to keep a connection alive, but due to the bug it now allows others to recover data sent over SSL/TLS. This compromises the keys used to identify you to the server and could allow the encrypted traffic you sent, to be read... including names and passwords. What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. Some useful sites: The Heartbleed Bug Q&A This site lets you check if a website is affected: http://filippo.io/Heartbleed/ This site lets you check if a certificate is affected: https://sslcheck.globalsign.com/en_US Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.