Q1: What is the Heartbleed bug? The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It is a hole that leaves websites and user information open to attacks. Q2: What is Open SSL? OpenSSL stands for Open Secure Sockets Layer. Users can easily recognise a website written in OpenSSL with the 'https' which is a sign of Secured Websites. It is used by about 66% of secured websites on the internet. Q3: Why is it so dangerous? The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Q4: Why is it called Heartbleed? Signals between computer and server are called as heartbeats. Now the beat is broken, bleeding. Name stands for that. Q5: How was the bug discovered? A Finnish company named Codenomicon found it. Their 3-member team found it while doing improvements to their own security tools. Q6: Who does it affect? Everybody using Internet services or applications using vulnerable version of OpenSSL. The first victim of Heartbleed bug was Canadian Revenue Agency which claimed to be stolen 900 Social Identification Numbers. The 19-year-old man who used the Heartbleed bug to stole these data was arrested in Canada. Q7: Who made this happen? Whose fault is this? German guy, Robin Seggelmann, made a human error while he was coding the new versions of OpenSSL in December 2011. He just forgot to set the length of one parameter. Q8: How much data can be stolen with one time request? Only 64 kilobytes. The request can be repeated millions of times, so the problem is still huge. |
Q9: Why are some sites not affected by Heartbleed? Some web-sites use an earlier, unaffected version, and some didn't enable the "heartbeat" feature that was central to the vulnerability. Q10: Which OpenSSL versions are vulnerable? OpenSSL versions from 1.0.1 to 1.0.1f. All the earlier and later versions are safe. Q11: What should I do now? Wait until the services you are using updates their OpenSSL. After that, change your passwords. Q12: How can I know if I am affected to the bug? You cannot. The bug does not leave any kind of information about itself. Q13: How do I check if a web site has been affected or fixed? A few companies and developers have created testing sites to check which Web sites are vulnerable or safe. Two good ones are LastPass and Qualys. But the most prudent thing to do is to get confirmation from the site through one of its official channels. Lots of companies have been putting up blog posts and issuing statements about the health of their sites. Or you can email a site operator or customer service person directly. Q14: Should I be worried about my bank account? Most banks don't use OpenSSL, but instead use proprietary encryption software. But if you're unsure, contact your bank directly for confirmation that the Web site is secure. Of course, if you have given your bank account information in some other web pages, they can be stolen. Q15: Is there any conspiracy theories? Yes. It is said that NSA made this and is using the bug to spy people. Anyway, this seems not to be the truth. Q16: Where can I find more information? http://heartbleed.com and https://www.cert.fi/en/reports/2014/vulnerability788210.html |