Heartbleed security flaw found in Web encryption, spurs fix

The Web security flaw which researchers disclosed on 7 April, involves a two-year-old programming mistake in OpenSSL

Jordan Robertson
Updated9 Apr 2014, 05:49 PM IST
The vulnerability, dubbed Heartbleed, was discovered by researchers from Google Inc. and Codenomicon, a security firm based in Finland. Photo: Hindustan Times<br />
The vulnerability, dubbed Heartbleed, was discovered by researchers from Google Inc. and Codenomicon, a security firm based in Finland. Photo: Hindustan Times

San Francisco: Researchers have pushed out a fix for a security flaw that affects as many as two-thirds of all Internet servers and could let hackers intercept encrypted traffic including e-mail messages, banking information, usernames and passwords.

The flaw and the fix, which researchers disclosed on 7 April, involves a two-year-old programming mistake in OpenSSL. OpenSSL is an open-source software that is widely used by Internet companies to secure traffic flowing between servers and users’ computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.

The vulnerability, dubbed Heartbleed, was discovered by researchers from Google Inc. and Codenomicon, a security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon. It isn’t known whether malicious hackers knew about the bug and were exploiting it, the researchers wrote.

The revelation comes at a time of mounting concern about hackers’ capabilities following consumer data breaches at Target Corp. and Neiman Marcus Group Ltd and the spying scandal involving the National Security Agency.

People should change their passwords for sensitive sites to be on the safe side, said Zully Ramzan, chief technology officer of Elastica, a cyber-security firm.

The one saving grace with this flaw is that it was relatively simple to spot and as a result very simple to fix, Ramzan wrote in an e-mail yesterday. That said, OpenSSL is incredibly widespread. It’s literally the most popular implementation of SSL on the planet. So any compromise in its security has far reaching implications.

66 Percent

OpenSSL runs on as many as 66% of all active sites on the Internet, though many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, the researchers wrote. A test site allows website administrators to check whether their properties are affected.

Google and Facebook Inc. said in e-mailed statements on Tuesday that their properties aren’t vulnerable to the flaw. Tests on the homepages of other large technology, e-commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. indicated they weren’t vulnerable.

“The security of our users’ information is a top priority”, Google said in its statement. “We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services.”

In a statement, Facebook said it added protections for Facebook’s implementations of OpenSSL before this issue was publicly disclosed, and that they haven’t detected any signs of suspicious activity on people’s accounts. BLOOMBERG

Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.

MoreLess
First Published:9 Apr 2014, 05:49 PM IST
Business NewsIndustryHeartbleed security flaw found in Web encryption, spurs fix

Get Instant Loan up to ₹10 Lakh!

  • Employment Type

    Most Active Stocks

    Bandhan Bank share price

    207.80
    11:17 AM | 11 OCT 2024
    20.05 (10.68%)

    Tata Steel share price

    161.70
    11:17 AM | 11 OCT 2024
    2.05 (1.28%)

    Axis Bank share price

    1,176.30
    11:16 AM | 11 OCT 2024
    -7.45 (-0.63%)

    Zee Entertainment Enterprises share price

    131.25
    11:17 AM | 11 OCT 2024
    1.85 (1.43%)
    More Active Stocks

    Market Snapshot

    • Top Gainers
    • Top Losers
    • 52 Week High

    Page Industries share price

    45,450.00
    11:03 AM | 11 OCT 2024
    1314.7 (2.98%)

    CG Power & Industrial Solutions share price

    866.50
    11:12 AM | 11 OCT 2024
    24.45 (2.9%)

    Divis Laboratories share price

    6,068.20
    11:10 AM | 11 OCT 2024
    127.7 (2.15%)

    HCL Technologies share price

    1,833.90
    11:11 AM | 11 OCT 2024
    23.9 (1.32%)
    More from 52 Week High

    Cummins India share price

    3,591.75
    11:12 AM | 11 OCT 2024
    -189.6 (-5.01%)

    Creditaccess Grameen share price

    1,079.30
    11:12 AM | 11 OCT 2024
    -40.1 (-3.58%)

    Jubilant Pharmova share price

    1,147.80
    11:12 AM | 11 OCT 2024
    -36 (-3.04%)

    Fertilizers & Chemicals Travan share price

    906.85
    11:10 AM | 11 OCT 2024
    -25.4 (-2.72%)
    More from Top Losers

    Triveni Turbines share price

    787.95
    11:11 AM | 11 OCT 2024
    43.7 (5.87%)

    Network 18 Media & Investments share price

    80.08
    11:11 AM | 11 OCT 2024
    3.8 (4.98%)

    Rajesh Exports share price

    290.15
    11:11 AM | 11 OCT 2024
    13.4 (4.84%)

    TV18 Broadcast share price

    43.45
    11:12 AM | 11 OCT 2024
    1.94 (4.67%)
    More from Top Gainers

    Recommended For You

      More Recommendations

      Gold Prices

      • 24K
      • 22K
      Bangalore
      76,645.00-50.00
      Chennai
      76,651.00-50.00
      Delhi
      76,803.00-50.00
      Kolkata
      76,655.00-50.00

      Fuel Price

      • Petrol
      • Diesel
      Bangalore
      102.86/L0.00
      Chennai
      100.76/L0.01
      Kolkata
      104.95/L0.00
      New Delhi
      94.72/L0.00

      Popular in Industry

        HomeMarketsloanPremiumMint Shorts