The Heartbleed Bug is a serious flaw in the widely used OpenSSL cryptographic software library. This flaw allows information to be stolen that would otherwise be protected by the SSL/TLS encryption used to secure the Internet. SSL/TLS ensures Internet communication security and privacy for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).
This bug is officially identified as CVE-2014-0160. MITRE’s CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names. The OpenSSL implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension contains a bug (RFC6520). When exploited, it causes memory contents to leak from the server to the client and from the client to the server.
How can we get rid of this bug?
It is possible to exploit the vulnerable version of OpenSSL as long as it is in use. Now that OpenSSL has been fixed, it must be deployed. Operating system and distribution vendors, appliance vendors, and independent software vendors must all implement the fix and notify their customers. Users and service providers must install the patch as soon as it is made available for their operating systems, networked appliances, and software.
How common is this?
OpenSSL is most commonly used by open sources web servers such as Apache and Nginx. According to Netcraft’s April 2014 Web Server Survey, the combined market share of those two out of all active sites on the Internet was more than 66 percent. Additionally, OpenSSL is used to protect email servers (SMTP, POP, and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances, and a wide range of client-side software. Fortunately, the conservative choice of SSL/TLS termination equipment and software has saved many large consumer sites. Check out this link for more information.
Is this bug affecting me?
You are likely to be affected, either directly or indirectly. OpenSSL is the most popular open-source cryptographic library and TLS (transport layer security) implementation for encrypting Internet traffic. Your popular social site, your company’s site, commerce site, hobby site, software installation site, or even sites run by your government may be using vulnerable OpenSSL. Many online services use TLS to identify themselves to you as well as to protect your privacy and transactions. You may have networked appliances with logins secured by this flaky TLS implementation. Furthermore, you may have client-side software on your computer that could expose data from your computer if you connect to compromised services.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.