The Heartbleed Bug – By Konrad Krawczyk


By Konrad Krawczyk

HeartbleedBy now, you’ve probably heard of the Heartbleed bug; the flaw in the OpenSSL method of data encryption that lets hackers steal user names, passwords, emails and instant messages, credit card information, and more, while also evading detection. For the most part, aside from changing your passwords and avoiding sites that have allegedly been affected, there’s not much else you can do to combat the bug.

 

 

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

However, Qualys, a Web security firm, has developed a tool that lets you scan any website to see if it’s vulnerable to the Heartbleed bug. It’s easy to pull off, too: here’s how.

Go to the Qualys SSL Labs page here, type in the name of a website, and click “Submit” to assess its vulnerability to the OpenSSL Web encryption bug. When the scan is complete, you should see a notification telling you whether the site is hit by Heartbleed.

It’s worth noting that the feature is labeled “Experimental” on the site. In our experience, it took up to a minute to complete a scan, and timing varied from one website to the next, so we urge you to exercise patience when using this tool to scan your favorite page.

The domain check may take quite a while. I checked a banksite just now and that took a few minutes, so please be patient.

A quite good result - especially for an online bank.

A quite good result – especially for an online bank.

What really scared me is the result for paypal.com:

Scary - for a bank

Scary – for a bank

You can read the full article by Konrad Krawczyk here.

Advertisements