Items tagged with OpenSSL

When the OpenSSL vulnerability Heartbleed broke cover in April, it felt like it was the only thing that mattered for an entire week. Like many news outlets, we reported on the bug from a number of different angles, and it was all for good reason: It's a severe bug, and one that the world needs to know about. Given all of the attention Heartbleed received, it'd be easy to assume that the vulnerability would now be hard to spot out in the wild - but no. Far from it, actually. When we first learned of Heartbleed, it was estimated that at least half a million Web servers were vulnerable because of... Read more...
The Heartbleed Bug illustrated just how vulnerable our global communications structure really is, and now a glut of important tech companies in collaboration with the Linux Foundation are launching a new initiative called the Core Infrastructure Initiative to better support the open source projects and technologies that keep the Internet afloat. Image Source: Flickr (snoopsmaus) The first item on the docket is increased support for OpenSSL, which if you’ll recall was the source of the Heartbleed problem. OpenSSL “could receive fellowship funding for key developers as well as other resources... Read more...
As Seth covered earlier today, Bloomberg has accused the NSA of benefiting from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole. The NSA's Denial is Surprisingly Straightforward For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging... Read more...
The news of two truly horrible security breaches broke this year; one was the NSA’s shadowy data grabbing and surveillance program, and the other was the Heartbleed bug that left about two-thirds of the Internet utterly exposed to any bad actor. According to a Bloomberg report, these two stories have merged, as “two people familiar with the matter” have told the outlet that the NSA has known about the Heartbleed bug for at least two years and has regularly exploited it to gather intelligence. In an emailed statement to Bloomberg, the Office of the Director of National Intelligence... Read more...
Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica. The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its... Read more...