Need help? Chat now!

Hostwinds Blog

Search results for:

Heartbleed Bug Testing Exposes Private Server Encryption Keys Featured Image

Heartbleed Bug Testing Exposes Private Server Encryption Keys

by: Bryon Turcotte  /  April 16, 2014

A team of researchers at the San Francisco-based firm CloudFlare have recently determined that the private encryption key of a server "_may be obtained using the Heartbleed bug_, "according to a recent article published by Computer World. Furthermore, the article indicates that "_four researchers working separately_" have now confirmed what was once only assumed as possible and clarified the true danger behind the OpenSSL bug.

CloudFlare confronted the "_security community_" by questioning if Heartbleed – the bug in the OpenSSL cryptographic library –  could be used to steal "_the private key used to create the SSL/TLS (Secure Sockets Layer/Transport Security Layer_, "namely "_the encrypted channel between users and websites_, "according to the article. The Computer World report indicates that if an attacker obtains "_the private key for an SSL/TLS certificate_, "the creation of a "_fake website that passes the security verification_" could soon follow. In addition to this, they could also "_decrypt traffic passing between a client and a server_" – a man-in-the-middle attack – and "_possibly unscramble encrypted communications they've collected in the past_, "as the article confirms.

The article states that the Heartbleed bug will release data – which could consist of the "login credentials for people who have recently logged into the server_" – from a computer's memory "_in 64K batches_". This proves this flaw to be _very dangerous, according to the article, since those attackers could "keep hitting the server repeatedly_" – obtaining 64K of memory data on each attempt – until they drain all the information they need and leaving few traces behind. The report indicates further that security experts are "_still trying to figure out the conditions under which what specific data is revealed." Computer World notes that OpenSSL is widely used in a "_variety of operating systems, mobile applications, routers and other networking equipment_" which continues to amplify the concern and solidify the danger at a historical level.

Read more about the continued research regarding the Heartbleed bug in the full article and how experts try to move swiftly to get in front of this serious and costly vulnerability.

Written by Bryon Turcotte  /  April 16, 2014