- Global Voices - http://globalvoicesonline.org -
“HeartBleed”: Defect in Information Encryption Threatens Internet User Security
Written by Marco Molina · Translated by Betsy Galbreath On 26 April 2014 @ 19:49 pm | 1 Comment
In Citizen Media, Spanish, Technology, Weblog
On April 7, 2014, OpenSSL  publicly broke the news about the vulnerability  called Heartbleed . The news caused a stir in the world of technology after the announcement. The vulnerability in the OpenSSL software was discovered by Neel Mehta; and Bodo Moeller and Adam Langley were asked to correct it.
The Heartbleed bug  is a vulnerability found in some versions of OpenSSL cryptographic software libraries. These libraries handle security for the biggest websites. In summary, a vulnerability found in any part of the software (the often mentioned “heartbeat” extension, which allows a secure connection to the server where websites are hosted) allows hackers to read and collect data that is stored in the memories of these systems. This failure has the potential to be one of the biggest vulnerabilities of rapid expansion in the modern history of the internet. The vulnerability is present in versions 1.0.1 up to 1.0.1f of OpenSSL (but not in other versions of OpenSSL).
On the website Schneier on security, Bruce Schneier  says:
Catastrófico es la palabra correcta. En una escala de 1 al 10, esto es un 11.
Catastrophic is the right word. On the scale of 1 to 10, this is an 11.
Meanwhile, Matthew Green  writes in his blog
The problem is fairly simple: there's a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space.
At the root of HeartBleed is the encryption of data. By analogy, encryption is a secret language between two people. The Internet works by using certain security protocols and encryption commonly known as Transport Security Layers (TSL)  and previously, Sockets Security Layers (SSL). SSL and TSL are a set of open source tools known as Open SSL. It is also known as Open SSL  and works on 66% of the net as the encryption protocol to keep internet users’ information protected from misuse.
What is the vulnerability?
The TSL Heartbeat mechanism is designed to keep connections alive even when not transmitting data. Heartbeat messages sent by a pair contain random data and payload length. The other pair is expected to respond with a mirror of exactly the same data.
So what happens if Open SSL is faulty? What happens is that these secret keys which are shared with the server are suddenly accessible to anyone. This means that there is a lot of information available to anyone and users will probably never know who else has access to the information.
The worst part is that this vulnerability has existed since December 2011, and many software packages started using the vulnerable version of Open SSL after May 8, 2012. This means that for two years, any website, application, bank or IM service using SSL security protocols was vulnerable.
This weakness is technically complicated to fix and it is not enough that information technology professionals use the patch on copies of Open SSL that are using their devices, applications or websites.
To avoid being victimized by this vulnerability in encryption protocols used on the Internet, one should first check that suppliers have updated the Heartbleed patch. Then the password must be changed.
The feeling of alert remains in force [Twitter links are in Spanish]
— hackplayers (@hackplayers) abril 21, 2014 
Google Dork to find Juniper SSL VPNs vulnerable to # HeartBleed: The heart of the Internet continues to bleed ….
#Heartbleed  sí que puso a temblar a los database managers de todo el mundo y a nosotros a cambiar passwords. La vulnerabilidad es universal
— Clicerio MP (@ClicerioMP) abril 21, 2014 
Heartbleed has shaken up database managers worldwide and made us change passwords. Vulnerability is universal.
— Juan Carlos Vázquez (@jc_vazquez) abril 21, 2014 
[Infographic] # Heartbleed’s bottom line… interesting note on the data protection law.
— AMIPCI (@AMIPCI) abril 21, 2014 
Heartbleed threatens your privacy, change your passwords!
Mashable  presents a list of web sites that are subject to the Heartbleed vulnerability for which it is recommended that we change our passwords.
Article printed from Global Voices: http://globalvoicesonline.org
URL to article: http://globalvoicesonline.org/2014/04/26/heartbleed-defect-in-information-encryption-threatens-internet-user-security/
URLs in this post:
 theglobalpanorama: https://www.flickr.com/photos/121483302@N02/13880480664
 OpenSSL: https://www.openssl.org/
 the vulnerability: http://www.openssl.org/news/secadv_20140407.txt
 Heartbleed: http://en.wikipedia.org/wiki/Heartbleed
 Heartbleed bug: http://heartbleed.com/
 Bruce Schneier: https://www.schneier.com/blog/archives/2014/04/heartbleed.html
 Matthew Green : http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
 Transport Security Layers (TSL): http://en.wikipedia.org/wiki/Transport_Layer_Security
 #HeartBleed: https://twitter.com/search?q=%23HeartBleed&src=hash
 http://t.co/eczbWdnqon: http://t.co/eczbWdnqon
 abril 21, 2014: https://twitter.com/hackplayers/statuses/458387434527395840
 #Heartbleed: https://twitter.com/search?q=%23Heartbleed&src=hash
 abril 21, 2014: https://twitter.com/ClicerioMP/statuses/458372203176677376
 pic.twitter.com/aMMfMqd16I: http://t.co/aMMfMqd16I
 abril 21, 2014: https://twitter.com/jc_vazquez/statuses/458350279608397824
 http://t.co/3wB85d4AX5: http://t.co/3wB85d4AX5
 abril 21, 2014: https://twitter.com/AMIPCI/statuses/458297888695934976
 Mashable: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-tech-link
Licensed Creative Commons Attribution, 2008 Global Voices Online. See attribution policy for details: http://globalvoicesonline.org/about/global-voices-attribution-policy