I've read that too, So I think you are correct..
Worlwide Security Flaw - Heartbleed Bug
- Thread starter ssc456
- Start date
I've read that too, So I think you are correct..
Yes, there is a vulnerability in the heartbeat functionality of OpenSSL, (and only version 1.01 e, f ang g if I recall correctly.)
The vulnerability leaks the servers private key part of the certificate that is used to decrypt traffic, ergo, anyone can get the server key, and then decrypt private traffic in real time.
People who are affected therefore have to either upgrade (or downgrade) their version of OpenSSL, or they can recompile from source and not compile in the heartbeat functionality.
Since the keys are specific to the certificate (not the session) the certificate must be reissued with a new public/private key pair also, (there is not a lot of sense in continuing to use a certificate to encrypt when the decrypt key is widely known!)
The vulnerability leaks the servers private key part of the certificate that is used to decrypt traffic, ergo, anyone can get the server key, and then decrypt private traffic in real time.
People who are affected therefore have to either upgrade (or downgrade) their version of OpenSSL, or they can recompile from source and not compile in the heartbeat functionality.
Since the keys are specific to the certificate (not the session) the certificate must be reissued with a new public/private key pair also, (there is not a lot of sense in continuing to use a certificate to encrypt when the decrypt key is widely known!)
Similar threads
