4. What is SSL?
• The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the
most widely deployed security protocol used today. It is essentially a protocol
that provides a secure channel between two machines operating over the
Internet or an internal network.
• It basically provides an encrypted link between the server and the client.
• It ensures that the data communicated remains private and integral.
5. So, moving on…….
• OpenSSL - OpenSSL is a general purpose cryptography library that provides an
open source implementation of the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols.
• This is the culprit behind heart-bleed, let’s find out how.
• Firstly, it is not a virus!
• Heart-Bleed: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the information
protected, under normal conditions, by the SSL/TLS encryption used to secure the
Internet.
6. How was this bug exploited?
This was exploited in the 1.0, 1.01 and 1.02 deployed versions of the OpenSSL
cryptographic library.
It was not known for a long time.
………………………………………………………………………………..
7.
8. More about heart bleed!
• CVE-2014-0160 is the official reference to this bug. CVE stands for (Common
Vulnerabilities and Exposures).
• This is an implementation problem, i.e. programming mistake in popular OpenSSL
library that provides cryptographic services such as SSL/TLS to the applications
and services.
• Why Heart bleed? ANS: Heart beat request and leak of memory.
• More than 66% of the web servers use OpenSSL, apache and nginx being the most
popular ones to use OpenSSL.
• Fixed OpenSSL has been released and now it has to be deployed.