GMAIL Heartbleed Security Flaw | Security Learner's Blog

Monday, 14 April 2014

Heartbleed Security Flaw

Millions of websites, users' passwords, credit card numbers and other personal information may be at risk as a result of the Heartbleed security flaw, a vulnerability in widely used cryptographic library 'OpenSSL'.
Netcraft survey says that about half a million widely trusted active websites on the internet are vulnerable to the heartbleed bug, which means the information transmitting through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryption techniques.
According to Netcraft, “the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.”
Among the trusted names running OpenSSL is Yahoo!, which has been affected by this critical flaw. Yes, Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed.
the Popular sites which exhibit support for the TLS heartbeat extension also include Twitter, Facebook, GitHub, Bank of America, DropBox are not currently vulnerable, but it is unclear that they were vulnerable few days ago.
Including Yahoo!, Flickr, Tumbler, Google, OKCupid and even the anonymous search engine DuckDuckGo was vulnerable, which has now been fixed.
Yahoo Inc. said that it has "successfully made appropriate corrections" to the main Yahoo properties, including Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.
You can see the Heartbleed mass-test when performed around 8th April from here. In the list, the websites shown vulnerable may not be vulnerable right now.
HOW TO PROTECT YOURSELF FROM HEARTBLEED
First of all check if the sites you use every day on an individual basis are vulreble to Heartbleed bug or not using http://filippo.io/Heartbleed/, and if you're given a red flag, avoid the site for now. LastPass also created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated.
If the site you use is not affected by the vulnerability, its good idea that you change your password immediately, assuming that it was vulnerable before, just to make sure that you are now safe. But changing the password before the bug is fixed could compromise your new password as well.
You are advised to don't reuse the same passwords on different websites and try to use a separate password for each website.
If you are using a public Wi-Fi at MacDonald or any other public places, then you should limit your Internet behavior and avoid sign in into websites that are especially sensitive.
OpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are Vulnerable and flaw is fixed in OpenSSL 1.0.1g. If you haven't yet, please update your system that use OpenSSL for TLS encrypted communications.
And last but not the least; keep an eye on every financial transaction, and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
Stay Secure!

FIDA HUSSAIN

I am Fida Hussain,a computer student from Pakistan. Right from the day one I was introduced to computers,I had a passion for Hacking and Information security. So,I started this blog in 2012 to share my views and ideas with the world.

0 comments :

Post a Comment

 

Security Learner's Blog

Designed by Fida Hussain
This content is DMCA Protected.Copying or reproducing of procedure is prohibited.Do Not Copy!!