- FYI April 8
Internet security experts are seriously concerned about an implementation problem with some versions of OpenSSL (a cryptographic library that powers Secure Sockets Layer or Transport Security Layer encryption). So what's OpenSSL? It's basically that little padlock symbol you see in your browser when visiting a secure website. And the problem with these secure sites is called "Heartbleed:"
Even if you've never heard of OpenSSL, it's probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there's a good chance they use OpenSSL to do it. The Apache web server that powers something like 50 percent of the internet's web sites, for example, utilizes OpenSSL.
Through a bug that security researchers have dubbed "Heartbleed," it seems that it's possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.
Why that's bad: very, very sensitive data often sits in a server's system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn't encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser's built-in security checks. [TechCrunch]
This is a programming mistake, not a problem with the cryptography itself. Luckily, there are patches out already, and web companies are scrambling to bring their systems up to date. Here is more information, and here is a tool to test whether a server is vulnerable.- -
THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER
- Here comes the Pentagon's newest space plane
- 43 TV shows to watch in 2014
- Extreme haunted houses: Inside Halloween's most terrifying new trend
- How to be the most productive person in your office — and still get home by 5:30 p.m.
- Did the media get Ferguson wrong?
- What the Middle Ages can tell us about the GOP's big charity myth
- America's anti-feminist mega-corporations' toxic disregard for women must stop
- How foreign aid screwed up Liberia's ability to fight Ebola
- The U.S. is about to sell weapons to Vietnam. That's bad news for China.
- The real story behind Deliver Us From Evil
Subscribe to the Week