A serious bug is found in OpenSSL used by about 66% of sites on the Internet

ByNguyen Hung Vu

Encrypted communication standardly used on the InternetprotocolofSSL / TLSOpen source implementation ofLibrary"OpenSSL, We discovered a vulnerability in which information protected by SSL / TLS encryption is stolen even if it is not in a special environment.

Heartbleed Bug

"Heartbleed BugA vulnerability named "OpenSSL 1.0.1 to 1.0.1f" was discovered, and if any vulnerability is exploited, anyone can read the memory of these OpenSSL-protected systems It will be able to do. As the memory is browsed, it identifies the service provider and encrypts information such as user traffic, name and passwordPrivate keyIs compromised and a malicious attacker can intercept communications directly from services and users and steal data.

ByD. Sharon Pruitt

I am using OpenSSLApacheYaNginxIt is an open source web server like,Approximately 66% of sites on the InternetI am using Apache, or nginx. OpenSSL is also used for mail servers using the SMTP, POP, and IMAP protocols, chat servers of the XMPP protocol, various types of client software, and its impact is quite extensive.

Heartbleed Bug is not limited to sites on the Internet that are affected. "Debian Wheezy"Ubuntu 12.04.4 LTS"CentOS 6.5"Fedora 18"OpenBSD 5.3 / 5.4"FreeBSD 8.4 / 9.1"NetBSD 5.0.2"OpenSUSE 12.2OS also uses a version of OpenSSL that may contain vulnerabilities, so users need attention.

When a research company that examined Heartbleed Bug conducted an experiment that attempted to attack its company from the outside using vulnerability, it was confirmed that the companyX.509Public key certificate · Successfully steal key to access user name and password · instant message · mail and important documents etc. Moreover, no traces of the thief remained after the attack.

ByJudy van der Velden

If you are using OpenSSL that may contain a vulnerability, it is possible that Heartbleed Bug released on April 7, 2014Fix patch OpenSSL 1.0.1 gUpdate to mandatory. A security company that provides services using OpenSSLCloudFlare engineer"Before Heartbleed Bug was released to the public, information was provided by a hacker who knew about the vulnerability, so we were able to fix the problem in advance. Currently we are investigating vulnerabilities, There is a possibility to replace the TLS certificate depending on it. "

in Software, Posted by darkhorse_log