If You Want Privacy or Anonymity or Security, Stay Off the Internet This Week
The irony is, those who have put the most effort into privacy and security are the most vulnerable.
The bug exposes the popular cryptographic software, OpenSSL,
a mainstay web encryption. Heartbleed makes it possible for anyone to
eavesdrop on encrypted sites and access the sensitive data they’re
supposed to be protecting, all without leaving any trace on the site’s
server. Even worse, attackers can also retrieve cryptographic keys and
passwords and use that info to decrypt any past or future web traffic.
The
bug was introduced in the 1.01 version of OpenSSL in 2012, which means
for two years attackers exploiting the bug could have exposed VPNs and
anonymity services, revealing users’ emails, instant messages, and
browsing activity. And there's no way to know who was comprimised.
The
sites and web users most at risk are the ones who took precautions to
hide their tracks. The lion's share of websites that use the HTTPS
secure communications protocol run OpenSSL, as do many
sites specifically designed to hide users' identity, including the Tor onion network.
The Tor Project wrote in a blog post
yesterday that its clients, relays, and hidden services were all
vulnerable to the Heartbleed bug. Ostensibly, anyone that had been using
Tor—be it to buy drugs on the black market or protect themselves from
oppressive governments or anything in between—may have had their
activity monitored and encryption keys stolen.
"If
you need strong anonymity or privacy on the Internet, you might want to
stay away from the Internet entirely for the next few days while things
settle," the Tor Project wrote.
The bug's reach goes far beyond the clandestine corners of the web. A recent survey from
the internet security firm Netcraft showed that 66 percent of websites
run on the open source web servers Apache and Nginx, which use OpenSSL
by default. So do many other operating systems and applications, like
Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of
Linux, Ars Technica reported.
The researchers that discovered Heartbleed, from Google and the security firm Codenomicon, wrote yesterday
that large consumer sites are often using older, uncompromised versions
of OpenSSL, and so "ironically, smaller and more progressive services
or those who have upgraded to latest and best encryption will be
affected most."
All told, some half a million websites are vulnerable, according to Netcraft, including Yahoo, Flicker, and OK Cupid. There's a long list on Github.
A couple tools and tip sheets
are now floating around that let you test to see which websites are
vulnerable to Heartbleed (the technical name is CVE-2014-0160). Of the
Silicon Valley web giants, it showed Google, Microsoft, Twitter,
Facebook, Dropbox were safe, but Yahoo was vulnerable—though it's worth
noting there’s no knowing for sure how accurate that data is.
Image: Filipio.io Heartbleed test
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously" researchers wrote.A reportedly fixed version of OpenSSL was released yesterday and security experts recommended all sites using the software upgrade to the new version. To be super safe, they also suggest changing any passwords and crypto keys used over the last two years and updating your security certificate. Or, if you’re really worried, you can take the Tor Project’s advice and get off the web altogether for a while. It might be a good time to pick up that novel you’ve been meaning to finish.
SOURCE: MOTHERBOARD, Read original entry Here
No comments:
Post a Comment
The views expressed in this section are the authors' own. It does not represent The North Bank Evening Standard (TNBES)'s editorial policy. Also, TNBES is not responsible for content on external links.