Security researchers have come up with a new zero-day in the OpenSSL, which powers up most of the websites in this world for encrypting data going in and out. Researchers have name the bug as ‘HeartBleed’ and it can be exploited to gain credentials stored at the server.
For those who don’t know what OpenSSL is, it is cryptographic software library to secure data being transmitted in between the server and clients. Its toughens up the web security by encrypting the data. The bug can be exploited for an attacker to gain the encryption keys used by the server, which on later can be used to intercept the data or even to carry out Man In The Middle attack — commonly known as MITM.
Researchers wrote, ” The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
Researchers, for testing out the bug, attacked their own servers and without any privileged information like username or password, they were able to steal X.509 certificates, usernames and password stored at the server. The bug, which has compromised the SSL ( secure socket layer ), can now be fixed with the instructions given at OpenSSL website . Operating system vendors and distribution, appliance vendors, independent software vendors are now required to fix it as soon as possible.
Last year, a few more security researchers demonstrated how an attacker can break the SSL/TLS layer. One was called as ‘BREACH’ and another was known as ‘CRIME’. SSL uses cryptographic algorithms and techniques like PKI to encrypt the data with public and private keys.
The above methods were only for intercepting the SSL data, but with ‘HeartBleed’ an attacker can completely take over the servers and data being transmitted with it.