Privacy: Critical Crypto Bug in OpenSSL Opens Two-Thirds of Web to Eavesdropping
If your organization or vendors utilize OpenSSL (as you’ll read below, you/they probably do) please take note of this important story. Also, as the ars technica story points out simply patching the bug might not be enough.
If this news is not a concern it is another real-world example that it’s very important to be aware of potential privacy issues that could involve your privacy and the privacy of library users/customers.
Of course, encryption is only one of many privacy concerns that info pros should not only know about/understand at a basic level but should also educate users about. In other words, your privacy and user privacy should not simply be an issue for systems and info tech specialists.
Now, to Today’s News…
From PC World:
Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.
The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.
The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.
[Our emphasis] If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.
From ars technica:
The researchers [who discovered the bug], who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details.
[Our emphasis] OpenSSL is by far the Internet’s most popular open-source cryptographic library and TLS implementation. It is the default encryption engine for Apache, nginx, which according to Netcraft runs 66 percent of websites.
OpenSSL also ships in a wide variety of operating systems and applications, including the Debian Wheezy, Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux. The missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension affects OpenSSL 1.0.1 through 1.0.1f.
Learn More About the Bug and What Could Happen if Not Patched via the Heartbleed.com Website and FAQ
About Gary Price
Gary Price (email@example.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.