by admin | Apr 12, 2014 | Tech Updates
By: Jerome Auza I normally stay away from affairs of the heart but someone in the computing industry gave a quite romantic name to a potentially catastrophic flaw in a security system we trust: Heartbleed. The flaw is described in detail using almost layman’s terms at www.heartbleed.com. In a nutshell, the bug allows any unauthorized user to query a server and capture unencrypted data using OpenSSL, a popular open source implementation of the SSL protocol. SSL protocol is used in many applications requiring encrypted data traffic between a user’s computer and a server. Examples would be HTTPS, or the secure HTTP protocol commonly used in most applications requiring encryption such as online banking, Facebook and other social networking sites, webmail systems and many more. The flaw existed for about two years but was just discovered earlier in April 2014. In fairness to the programmer and peer reviewers, the bug is a subtle bug that don’t really become obvious as a bug until it is in production and many users are using it. It was discovered independently by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security. It is called Heartbleed because the bug existed in OpenSSLs implementation of the SSL protocol’s heartbeat extension. In computer applications, heartbeat is the general term of the method done by an application to inform other applications or users of that application that the application is still running. When the heartbeat data exchange it done, it is possible for an unauthorized user to fake the length of the data that it needs and the server simply return that...
