|
Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension,〔(【引用サイトリンク】title=Cyberoam Security Advisory - Heartbleed Vulnerability in OpenSSL )〕 thus the bug's name derives from "heartbeat". The vulnerability is classified as a buffer over-read,〔 a situation where more data can be read than should be allowed. Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. At the time of disclosure, some 17% (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier〔(【引用サイトリンク】title=Schneier on Security: Heartbleed )〕 all deemed the Heartbleed bug "catastrophic". ''Forbes'' cybersecurity columnist Joseph Steinberg wrote, "Some might argue that () is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet." A British Cabinet spokesman recommended that "People should take advice on changing passwords from the websites they use... Most websites have corrected the bug and are best placed to advise what action, if any, people need to take." On the day of disclosure, the Tor Project advised anyone seeking "strong anonymity or privacy on the Internet" to "stay away from the Internet entirely for the next few days while things settle." , 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed. TLS implementations other than OpenSSL were not affected. == History == The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols was proposed as a standard in February 2012 by RFC 6520. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time. In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the Fachhochschule Münster, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,〔(【引用サイトリンク】title=#2658: () Add TLS/DTLS Heartbeats )〕 his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The flaw spread with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable.〔(【引用サイトリンク】 date = April 8, 2014 )〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Heartbleed」の詳細全文を読む スポンサード リンク
|