That extra 20 KB of data is information that the attacker has now extracted from the web server. There could be all kinds of things in that 20 KB, because even when a computer is done with information, that data persists in memory buffers until something else comes along to overwrite it. So if a request said it was 40 KB long but was actually only 20 KB, the receiving computer would set aside 40 KB of memory buffer, then store the 20 KB it actually received, then send back that 20 KB plus whatever happened to be in the next 20 KB of memory. The Heartbleed vulnerability arose because OpenSSL’s implementation of the heartbeat functionality was missing a crucial safeguard: the computer that received the heartbeat request never checked to make sure the request was actually as long as it claimed to be. When your browser gets back the same information it sent out, it can be sure it still has a connection to the server it’s been talking to up to this point. Next, the server stores the encrypted data from the request into that memory buffer, then immediately reads the data back out of it and sends it back to your web browser. When Yahoo’s server receives that message, it allocates a memory buffer-a region of physical memory where it can store information-equal in size to the reported length of the heartbeat request. Heartbeat requests can be of variable sizes (up to 64 KB), and each request needs to include information about its specific length. Repeat it all back to me.” This is the heartbeat request we discussed earlier. Your web browser wants to make sure Yahoo’s server is still up and listening, so it will send a message saying, in essence, “This is a 40 KB message you’re about to get. Imagine you’re reading your Yahoo mail but haven’t done anything in a while to load more information. The second computer will reply back with the exact same encrypted piece of data, proving that the connection is still in place. Occasionally, one of those computers will send an encrypted piece of data, called a heartbeat request, to the other. The heartbeat is how two computers communicating with one another let each other know that they’re still connected even if the user isn’t downloading or uploading anything at the moment. The name Heartbleed comes from heartbeat, which is the name for an important component of the TLS/SSL protocol. The TLS/SSL standards are crucial for modern web encryption, and while the flaw was in the OpenSSL implementation rather than the standards themselves, OpenSSL is so widely used-when the bug was made public, it affected 17% of all SSL servers-that it precipitated a security crisis. The vulnerability meant that a malicious user could easily trick a vulnerable web server into sending sensitive information, including usernames and passwords. OpenSSL is an open source code library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Heartbleed is a vulnerability in OpenSSL that came to light in April of 2014 it was present on thousands of web servers, including those running major sites like Yahoo.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |