- What is OpenSSL?
- What happen?
- Interesting links and resources about heartbleed bug(If you want know more: )
- My opinion
What is OpenSSL?
OpenSSL is a cryptographic software library. It is an open-source implementation of the SSL and TLS protocols. these protocols are response for communication security over the Internet. (from Wikipedia).
- Apache and Nginx servers (Nearly 70% website uses this software!)
- Heroku (Cloud Application Platform)
- WordPress (a free and open source blogging tool and a content management system)
- Multiple Cisco Products
- Android 4.1.1 (Jelly Bean)
Let's starts from official information.
OpenSSL Security Advisory states :"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.". OpenSSL 1.0.1 until -1 .0.1f versions are affected by this vulnerability . (from https://www.openssl.org/news/secadv_20140407.txt)
"This bug allows anyone on the Internet to obtain private keys ,secrets (to identify the service providers and to encrypt the traffic), the names and passwords of the users and the actual content. " from http://heartbleed.com
Huston,we have a problem. a BIG ONE.
It means somebody can stole your digital valuables .It means DISASTER.
Sounds scary? Well,because it is!
- It is not end of the world.
- It will cause lots of troubles soon,but it will be fine.
- First many pages will display certificates issues.
- Some software will have emergency releases.
If you want know more:
- If you need all essential information about bug and what to do look here:
- Some technical information about bug(where is,how fix looks like and etc,) is :
- To test are you affected (for website owners or to check service where you store critical data),go here:
Bugs happen and they will happen.
I feel sorry for guy(Dr. Stephen Henson) who introduce bug in this git commit (git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504 . (Git is cruel !)
Many people go wild with criticising OpenSSL team for that bug.
- It is everybody responsibility to take care about it.
- if you believe that something is needed (for example: security audit ),DO IT and share result with OpenSSL community (too expensive? Use croudfunding solution instead).
- It must be better donated (if you want donate openSSL folks https://www.openssl.org/support/donations.html )
So people,stop blaming and bitching about it.It is useless and you waste your time.Use these time to improve OpenSSL instead.
Another question is about secure programming in C. Many people said that these days , secure programming in C is almost mission impossible and it should be rewritten BUT ... atm. YOU must live with fact that OpenSSL is written in C.