Tuesday, April 08, 2014

Heartbleed bug in OpenSSL

There was a serious vulnerability reported in the OpenSSL library that can let the attacker to dump memory contents from the server. Thus the attacker can perform offline analysis of the memory contents and identify sensitive information like private key of the server, key material for SSL sessions, decrypted data that is in memory, etc. This affects any server that uses OpenSSL to implement HTTPS.

I thought I will share some material in one place that will be helpful for people to understand the problem better.

  • Description of the problem can be found here.
  • A simple Python script to test your servers can be found here or you can use this site.
  • NVD entry for this issue can be found here.
  • How some of the companies are responding: Heroku, AWS, Lastpass.
Hope that helps.

No comments: