A team of researchers at the San Francisco-based firm CloudFlare have recently determined that the private encryption key of a server “may be obtained using the Heartbleed bug“, according to a recent article published by Computer World. The article indicates that “four researchers working separately” have now confirmed what was once only assumed as possible and clarified the true danger behind the OpenSSL bug.
CloudFlare confronted the “security community” by questioning if Heartbleed – the bug in the OpenSSL cryptographic library – could be used to steal “the private key used to create the SSL/TLS (Secure Sockets Layer/Transport Security Layer“, namely “the encrypted channel between users and websites“, according to the article. The Computer World report indicates that if an attacker obtains “the private key for an SSL/TLS certificate“, the creation of a “fake website that passes the security verification” could soon follow. In addition to this they could also “decrypt traffic passing between a client and a server” – a man-in-the-middle attack – and “possibly unscramble encrypted communications they’ve collected in the past“, as the article confirms.
The article states that the Heartbleed bug will release data – which could consist of the “login credentials for people who have recently logged into the server” – from a computer’s memory “in 64K batches“. This proves this flaw to be very dangerous, according to the article, since those attackers could “keep hitting the server repeatedly” – obtaining 64K of memory data on each attempt – until they drain all the information they need and leaving few traces behind. The report indicates further that security experts are “still trying to figure out the conditions under which what specific data is revealed.” Computer World notes that OpenSSL is widely used in a “variety of operating systems, mobile applications, routers and other networking equipment” which continues to amplify the concern and solidify the danger at a historic level.