Nine Steps to Defeating the Heartbleed Bug

By Karen A. Frenkel  |  Posted 04-14-2014 Email

The Heartbleed bug is a newly discovered flaw in the OpenSSL cryptographic library, CVE-2014-0160, which affects encrypted communications between web applications, e-mail exchanges, instant messaging clients and some SSL-based virtual private network connections. Via Heartbleed, attackers can access the contents of a web server's memory and other vulnerable services and compromise SSL private keys, configuration file contents, usernames and passwords, session tokens and cookie values, and DTLS that can lead to traffic amplification and DDoSes. OpenSSL has issued a security advisory indicating that only OpenSSL 1.0.1 and 1.0.2-beta releases are affected, including 1.0.1f and 1.0.1-beta1. (OpenSSL thanked Google Security's Neel Mehta for discovering the long-existing bug and Adam Langley and Bodo Moeller for the fix.) Several information security services firms, including Codenomicon and Accuvant Labs, have issued recommendations on how to mitigate the vulnerability. To read the Accuvant report, click here. For the Codenomicon report, click here.

Karen A. Frenkel writes about technology and innovation and lives in New York City.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login Register