Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Permalink for comment 586720
To read all comments associated with this story, please click here.
I found a better link covering the attack
by Priest on Wed 9th Apr 2014 01:12 UTC
Priest
Member since:
2006-05-12

It's available here: http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes...

At first I thought Heartbleed or CVE-2014-0160 was just about being able to decrypt SSL messages without needing a man in the middle on the session but that's not the case.

It allows an attacker to return data from the servers memory that could be ssl keys or data like user/passwords of users communicating with the server.

Most importantly: It does not require being able to intercept a users traffic to obtain their login credentials.

I could exploit an unpatched server and it will freely offer up user/pass combos of people communicating with it. It is a much much more serious vulnerability than simply allowing me to decrypt traffic I had to capture on the wire.

Reply Score: 3