Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
What You Need To Know About Heartbleed, A Really Major Bug That Short-Circuits Web Security ReadWrite
Lauren Orsini
Heartbleed, a long-undiscovered bug in cryptographic sof tware called OpenSSL that secures Web communications, may have lef t roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data saf e.
What's Heartbleed?
T he short version is that it's a vulnerability in the way your browser talks to a website over an encrypted channel. An attacker could theoretically take advantage of the bug to unravel the secure channels used by banks, e-commerce sites and other sensitive locations to steal passwords and other sensitive inf ormation. T he slightly longer version is that Heartbleed is a f law in the OpenSSL implementation of the basic cryptographic protocol that secures Web communications, known as SSL.
What's SSL?
It stands f or Secure Socket Layer, a cryptographic protocol that puts the S in "https"the pref ix you see on Web addresses when they're using a secure, encrypted connection. SSL basically ensures that no one can eavesdrop while you're banking, shopping or doing anything else rth reading your email at Gmail and similar services, or connecting to other sensitive sites.
What's OpenSSL?
OpenSSL is an open-source implementation of SSL and its successor protocol, T LS (which stands f or Transport Security Layer). It's the def ault cryptographic library in the Apache and nginx Web servers, which together powered almost exactly two-thirds of all active websites as of April, according to Netcraf t data (h/t Ars Technica). T hat means OpenSSL is used to protect sensitive Web communications across a vast swathe of the Internet.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data
directly from the services and users and to impersonate services and users.