विकिपीडिया

"सदस्यः:Kriyear/प्रयोगपृष्ठम्" इत्यस्य संस्करणे भेदः

उत्तरदायी रूप से इतिहास देखें
← पुरातनतरं सम्पादनम्नवतरं सम्पादनम् →
Content deleted Content added
यथादृश्यविकिटेक्स्ट
No edit summary
No edit summary
पङ्क्तिः १:
{{other uses}}
'''दं वास्को द गमा''' ({{IPA-pt|ˈvaʃku ðɐ ˈɣɐmɐ}}) (c. १४६० - १४६९? - २३ देचेम्बेर १५२४), प्रथमा [[Count of Vidigueira<ref>Count_of_Vidigueira</ref>]], was a [[Portugal in the Age of Discovery|Portuguese explorer]], one of the most successful in the [[Age of Discovery]] and the commander of the first ships to sail directly from [[Europe]] to India.
{{Use mdy dates|date=April 2014}}
{{current|date=April 2014}}
[[File:Heartbleed.svg|thumb|Logo representing the Heartbleed bug. The logo and the name "Heartbleed" have contributed to public awareness of the issue.<ref name="McKenzie">{{cite web|url=http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/|title=What Heartbleed Can Teach The OSS Community About Marketing|last=McKenzie|first=Patrick|date=April 9, 2014|accessdate=April 10, 2014}}</ref><ref name="Biggs">{{cite web|url=http://techcrunch.com/2014/04/09/heartbleed-the-first-consumer-grade-exploit/|title=Heartbleed, The First Security Bug With A Cool Logo|last=Biggs|first=John|date=April 9, 2014|work=[[TechCrunch]]|accessdate=10 April 2014}}</ref>]]
'''Heartbleed''' is a [[software bug]] in the [[open-source]] [[cryptography]] library [[OpenSSL]], which allows an attacker to read the memory of the host computer (for example, a [[Web server]]), allowing them to retrieve potentially privacy-sensitive data.<ref name="NYT-20140411">{{cite news |last1=Perlroth |first1=Nicole |last2=Hardy |first2=Quentin |title=Heartbleed Flaw Could Reach to Digital Devices, Experts Say |url=http://www.nytimes.com/2014/04/11/business/security-flaw-could-reach-beyond-websites-to-digital-devices-experts-say.html |date=April 11, 2014 |work=[[New York Times]] |accessdate=April 11, 2014 }}</ref><ref name="NYT-20140409">{{cite news |last=Chen |first=Brian X. |title=Q. and A. on Heartbleed: A Flaw Missed by the Masses |url=http://bits.blogs.nytimes.com/2014/04/09/qa-on-heartbleed-a-flaw-missed-by-the-masses/ |date=April 9, 2014 |work=[[New York Times]] |accessdate=April 10, 2014 }}</ref><ref name="NYT-20140410a">{{cite news |last=Wood |first=Molly |title=Flaw Calls for Altering Passwords, Experts Say |url=http://www.nytimes.com/2014/04/10/technology/flaw-calls-for-altering-passwords-experts-say.html |date=April 10, 2014 |work=[[New York Times]] |accessdate=April 10, 2014 }}</ref><ref name="NYT20140410">{{cite news |last=Manjoo |first=Farhad |title=Users’ Stark Reminder: As Web Grows, It Grows Less Secure |url=http://www.nytimes.com/2014/04/10/technology/users-stark-reminder-as-web-grows-it-grows-less-secure.html |date=April 10, 2014 |work=[[New York Times]] |accessdate=April 10, 2014 }}</ref>
 
Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.<ref>{{cite web |first=Sean |last=Gallagher |title=Heartbleed vulnerability may have been exploited months before patch |url=http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/ |work=[[Ars Technica]] |date=April 9, 2014 |accessdate=April 10, 2014}}</ref><ref>[http://blog.erratasec.com/2014/04/no-we-werent-scanning-for-hearbleed.html#.U0Z5kfmSxMi "No, we weren't scanning for hearbleed before April 7"]</ref><ref>[https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 "Were Intelligence Agencies Using Heartbleed in November 2013?"], April 10, 2014, Peter Eckersley, EFF.org</ref> There have been unconfirmed reports that the United States [[National Security Agency]] was aware of the flaw since shortly after its introduction, but chose to keep it secret, instead of reporting it, in order to exploit it for their own purposes.<ref name="bloomberg">{{cite web|last=Riley |first=Michael |url=http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html |title=NSA Said to Exploit Heartbleed Bug for Intelligence for Years |publisher=Bloomberg |date= |accessdate=2014-04-11}}</ref>
He is one of the most famous and celebrated explorers from the [[Age of Discovery|Discovery Ages]], being the first European to reach India by sea. This [[Discovery of the sea route to India|discovery]] was very significant and paved the way for the Portuguese to establish a long-lasting [[colonial empire]] in Asia. The route meant that the Portuguese would not need to cross the highly disputed [[Mediterranean Sea|Mediterranean]] nor the dangerous [[Arabian Peninsula]], and that the whole voyage would be made by sea.
 
==History==
After decades of sailors trying to reach India with thousands of lives and dozens of vessels lost in shipwrecks and attacks, Gama landed in [[Kozhikode|Calicut]] on 20 May 1498. Reaching the legendary Indian [[spice trade|spice routes]] unopposed helped the [[Portuguese Empire]] improve its economy that, until Gama, was mainly based on trades along Northern and coastal West Africa. These spices were mostly [[Black pepper|pepper]] and [[cinnamon]] at first, but soon included other products, all new to Europe which led to a commercial monopoly for several decades.
In April 2014, Neel Mehta of Google Security reported a [[software bug|bug]] in all versions of OpenSSL in the 1.0.1 series released since March 14, 2012. The bug entailed a severe memory handling error in the implementation of the [[Transport Layer Security]] (TLS) Heartbeat Extension.<ref>{{cite web|title=Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension|url=https://tools.ietf.org/html/rfc6520|work=RFC 6520|publisher=Internet Engineering Task Force (IETF)|accessdate=April 8, 2014|author=Seggelmann, R. et al.|date=February 2012}}</ref><ref name="openssl1">{{cite web|title=OpenSSL Security Advisory [07 Apr 2014]|url=https://www.openssl.org/news/secadv_20140407.txt|author=OpenSSL.org|accessdate=April 9, 2014 |date=April 7, 2014}}</ref> This defect could be used to reveal up to 64&nbsp;[[kilobyte]]s of the application's memory with every [[heartbeat (computing)|heartbeat]].<ref>{{cite web| last = OpenSSL| title = TSL heartbeat read overrun (CVE-2014-0160)| accessdate=April 8, 2014| date=April 7, 2014| url = https://www.openssl.org/news/secadv_20140407.txt}}</ref> The bug is registered in the [[Common Vulnerabilities and Exposures]] system as CVE-2014-0160.<ref>{{cite web|url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |title=CVE - CVE-2014-0160 |publisher=Cve.mitre.org |date= |accessdate=April 10, 2014}}</ref>
 
The bug is exercised by sending a malformed heartbeat request to the server in order to elicit the server's response, which normally consists of the same data buffer that was received. Due to a lack of [[bounds checking]], the affected versions of OpenSSL did not verify the validity of the heartbeat request size, permitting attackers to read an arbitrary size of server memory.<ref name="troyhunt">{{cite web|url=http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html|accessdate=April 10, 2014|title=Everything you need to know about the Heartbleed SSL bug |date=April 9, 2014|author=Troy Hunt}}</ref>
Gama headed two of the [[Portuguese India Armadas|armadas destined for India]], the first and the fourth, the biggest armada, only four years after his arrival from the first one. For his contributions he was named in 1524 as the [[List of governors of Portuguese India|Governor of India]], under the title of [[Viceroy]], and given the newly created [[Count of Vidigueira|County of Vidigueira]] in 1519.
 
The vulnerability has existed since December 31, 2011 and the vulnerable code has been in widespread use since the release of OpenSSL version 1.0.1 on March 14, 2012.<ref name="hb">{{cite web| last = Codenomicon Ltd| title = Heartbleed Bug| accessdate = 2014-04-08| date =April 8, 2014| url = http://heartbleed.com/}}</ref><ref>{{cite web| last = Goodin| first = Dan| title = Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping| work = Ars Technica| accessdate = April 8, 2014| date = April 8, 2014| url = http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/}}</ref><ref name="hbos">{{cite web| title = "OpenSSL Heartbleed bug: what's at risk on the server and what is not" | author = Hagai Bar-El | accessdate = April 9, 2014| date = April 9, 2014| url = http://www.hbarel.com/openssl-heartbleed-bug}}</ref>
Numerous homages have been made worldwide in Vasco da Gama's honour for his explorations and accomplishments. He remains as a leading exploration figure to this day. The Portuguese [[national epic]], [[Os Lusíadas]], was written to celebrate Vasco da Gama. His first trip to India is widely considered a pinnacle of world history as it marked the beginning of the first wave of global multiculturalism.<ref>{{cite book|first=Cliff|last=Nigel|title=Holy War: How Vasco da Gama's Epic Voyages Turned the Tide in a Centuries-Old Clash of Civilizations|publisher=Harper| date=September 2011}}</ref>
 
The bug was named by an engineer at the firm [[Codenomicon]], a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain ''Heartbleed.com'' to explain the bug to the public.<ref>{{cite web|url=http://www.washingtonpost.com/blogs/style-blog/wp/2014/04/09/why-is-it-called-the-heartbleed-bug/ | title="Why is it called the ‘Heartbleed Bug’?"}}</ref> According to Codenomicon, [[Neel Mehta]] of Google Security first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently.<ref name="hb" /> Mehta also congratulated Codenomicon, without going into detail about their role.<ref name="mehta twitter">{{cite web | url=https://twitter.com/neelmehta/status/453542518584381440 | title=Don't forget to patch DTLS | publisher=Twitter | accessdate=2014-04-11 | author=Mehta, Neel}}</ref>
== References ==
 
{{Library resources box|by=no|onlinebooks=yes|viaf=106966471}}
==Impact==
;Notes
By reading an arbitrary block of the web server's memory, attackers might receive sensitive data, compromising the security of the server and its users. Vulnerable data include the server's [[Public-key cryptography|private master key]],<ref name="hb"/><ref name="hbos"/> which would enable attackers to decrypt current or stored traffic via passive [[man-in-the-middle]] attack (if [[perfect forward secrecy]] is not used by the server and client), or active man-in-the-middle if perfect forward secrecy is used. The attacker cannot control which data are returned, as the server responds with a random chunk of its own memory.
{{Reflist|2}}
 
;Sources
The bug might also reveal unencrypted parts of users' requests and responses, including any form [[POST (HTTP)|post data]] in users' requests, [[session cookie]]s and passwords, which might allow attackers to [[Session hijacking|hijack the identity]] of another user of the service.<ref name="ipsec">{{cite web |url=http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |title=Why Heartbleed is dangerous? Exploiting CVE-2014-0160 |date=2014 |publisher=IPSec.pl}}</ref> At its disclosure, some 17% or half a million of the Internet's secure [[web servers]] certified by [[Certificate authority|trusted authorities]] were believed to have been vulnerable to an attack.<ref>{{cite web|last=Mutton|first=Paul|title=Half a million widely trusted websites vulnerable to Heartbleed bug|url=http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|publisher=[[Netcraft]] Ltd.|accessdate=April 8, 2014|date=April 8, 2014}}</ref> The [[Electronic Frontier Foundation]],<ref>{{cite web|url=https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy |title=Why the Web Needs Perfect Forward Secrecy More Than Ever &#124; Electronic Frontier Foundation |publisher=Eff.org |date=March 18, 2011 |accessdate=April 10, 2014}}</ref> [[Ars Technica]],<ref>{{cite web|last=Goodin |first=Dan |url=http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ |title=Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style |publisher=Ars Technica |date= |accessdate=April 10, 2014}}</ref> and [[Bruce Schneier]]<ref>{{cite web|url=https://www.schneier.com/blog/archives/2014/04/heartbleed.html |title=Schneier on Security: Heartbleed |publisher=Schneier.com |date= |accessdate=April 10, 2014}}</ref> all deemed the Heartbleed bug "catastrophic." Forbes cybersecurity columnist, Joseph Steinberg, described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."<ref>{{cite web| last=Steinberg |first=Joseph |url= http://www.forbes.com/sites/josephsteinberg/2014/04/10/massive-internet-security-vulnerability-you-are-at-risk-what-you-need-to-do/ |title= Massive Internet Security Vulnerability -- Here's What You Need To Do |publisher=Forbes |date= |accessdate=April 10, 2014}}</ref>
*{{Cite book |last=Ames |first=Glenn J. |title=Vasco da Gama: Renaissance Crusader |authorlink= |coauthors= |year=2004 |publisher=Longman |location= |isbn=0-321-09282-1 |pages= }}
 
*{{Cite book |last=Ames |first=Glenn J. |title=The Globe Encompassed: The Age of European Discovery, 1500–1700 |authorlink= |coauthors= |year=2007 |publisher=Prentice Hall |location= |isbn=978-0-13-193388-0 |pages= }}
==Affected OpenSSL versions==
* Castanhoso, M. de (1898) ''Dos feitos de D. Christovam da Gama em Ethiopia'' Lisbon: Imprensa nacional. [http://books.google.com/books?id=MiFXAAAAMAAJ&pg=PR3#v=onepage&q&f=false online]
* OpenSSL 1.0.2-beta
*{{Cite book |last=Corrêa |first=Gaspar |title=The Three Voyages of Vasco da Gama, and His Viceroyalty |authorlink=Gaspar Correia |coauthors= |year=2001 |publisher=Adamant Media Corporation |location= |isbn=1-4021-9543-5 |pages= }} Facsimile reprint of an 1869 edition by the [[Hakluyt Society]], London.
* OpenSSL 1.0.1 – OpenSSL 1.0.1f
*{{Cite book|last=Disney|first=Anthony|title= The Indian Ocean in World History|coauthors=Emily Booth (eds.) |year=2000 |publisher=Oxford University Press|location=New Delhi and New York |isbn= }}
** Unless an operating system patch for CVE-2014-0160 has been installed that doesn't change the library version, which is the case for [[Debian]] (including derivatives such as [[Ubuntu (operating system)|Ubuntu]] and [[Linux Mint]]), [[FreeBSD]] and [[Red Hat Enterprise Linux]], including derivatives such as [[CentOS]] and [[Amazon Linux]].
*{{Cite book|last=Fernández-Armesto |first=Felipe |title=Civilizations |authorlink=Felipe Fernández-Armesto|year=2001|publisher=Macmillan|location=Basingstoke and Oxford, U.K.|isbn=0-7432-0248-1}}
 
*{{Cite book |last=Fernández-Armesto |first=Felipe |title=Pathfinders: A Global History of Exploration |year=2006 |publisher=W. W. Norton |location= |isbn=978-0-393-06259-5 |pages=177–181 }}
===Unaffected versions===
* {{Cite book|url=http://ia360625.us.archive.org/3/items/vascodagamahissu00jaynuoft/vascodagamahissu00jaynuoft.pdf|first=Kingsley Garland|last=Jayne|title=Vasco Da Gama and His Successors 1460 to 1580|publisher=Meuthen & Co.Ltd.|location=London, England|year=1910|isbn = 978-0-548-00895-9}}
* OpenSSL 1.0.2-beta2 (upcoming)
*{{Cite book |last=Panikkar |first=K. M. |title=Asia and Western Dominance: A Survey of the Vasco da Gama Epoch of Asian History, 1498–1945 |authorlink=Kavalam Madhava Panikkar |coauthors= |edition=new ed. |year=1959 |publisher=Allen & Unwin |location=London |isbn= |id={{ASIN|B000Q5T6X6}} |pages= |url=http://www.archive.org/details/asiaandwesterndo009963mbp }}
* OpenSSL 1.0.1g
*{{Cite book |last=Ravenstein |first=E. G. |title=A Journal of the First Voyage of Vasco da Gama, 1497–1499 |authorlink=Ernst Georg Ravenstein |coauthors=ed. and trans. |year=1898 |publisher=Hakluyt Society |location=London|url=http://books.google.com/books?id=13stAAAAMAAJ&printsec=frontcover&dq=intitle:Vasco+inauthor:Ravenstein&lr=&num=30&as_brr=0&ei=Lzm2R6iwEo3AsQPrtv2RBQ }} (reissued by [[Cambridge University Press]], 2010. ISBN 978-1-108-01296-6)
* OpenSSL 1.0.0 (and 1.0.0 branch releases)
*{{Cite book|last=Russell-Wood|first=A. J. R. |title=A World on the Move: The Portuguese in Africa, Asia, and America, 1415–1808|year=1993 |publisher=Macmillan |location= |isbn=978-0-312-09427-0}}
* OpenSSL 0.9.8 (and 0.9.8 branch releases)
*{{Cite book|last=Subrahmanyam |first=Sanjay |title=The Career and Legend of Vasco da Gama |coauthors= |year=1997 |publisher=Cambridge University Press|isbn=978-0-521-47072-8 |pages= }}
 
* Teixeira de Aragão, A.C. (1887) ''Vasco da Gama e a Vidigueira: um estudo historico''. Lisbon: Sociedade de Geografia de Lisboa [http://books.google.com/books?id=cBAoAAAAYAAJ&pg=PP7#v=onepage&q&f=false online]
To resolve the bug, server administrators are advised{{by whom|date=April 2014}} to either use 1.0.1g or to recompile OpenSSL with <tt>-DOPENSSL_NO_HEARTBEATS</tt>, thus disabling the vulnerable feature until the server software can be updated.
*{{Cite book |last=Towle |first=George Makepeace |title=Vasco da Gama, his voyages and adventures |authorlink= |coauthors= |year=c. 1878 |publisher=Lothrop, Lee & Shepard |location=Boston |isbn= |url=http://www.archive.org/details/vascodagamahisvo00towl }}
 
==Reaction==
On the day of the announcement, 7 April 2014, the [[Tor Project]] issued an announcement on its blog and advised that anyone seeking "strong anonymity or privacy on the Internet" should "stay away from the Internet entirely for the next few days while things settle." They also recommended that Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL, but noted that Tor relays use two sets of keys and that Tor's multi-hop design minimizes the impact of exploiting a single relay.<ref>{{cite news
| title = OpenSSL bug CVE-2014-0160
| url = https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
| publisher = [[Tor Project]]
| date = April 7, 2014
| accessdate = April 9, 2014
}}</ref>
 
The [[Canada Revenue Agency]] (CRA) closed down its electronic services website over Heartbleed bug security concerns.<ref>{{cite news
| title = Security concerns prompts tax agency to shut down website
| url = http://www.ctvnews.ca/canada/security-concerns-prompts-tax-agency-to-shut-down-website-1.1767727
| publisher = [[CTV News]]
| date = April 9, 2014
| accessdate = April 9, 2014
}}</ref>
 
Platform maintainers like the Wikimedia Foundation advised their users to change passwords.<ref name="wikimedia">{{cite web|url=http://lists.wikimedia.org/pipermail/wikitech-l/2014-April/075801.html|title=[Wikitech-l] Fwd: Security precaution - Resetting all user sessions today|last=Grossmeier|first=Greg|date=April 8, 2014|publisher=[[Wikimedia Foundation]]|accessdate=April 9, 2014}}</ref>
 
An analysis posted on [[GitHub]] of the top 1000 most visited websites as of April 8, 2014 revealed vulnerabilities in sites including [[Yahoo!]], [[Imgur]], [[Stack Overflow (website)|Stack Overflow]], [[Slate (magazine)|Slate]], and [[DuckDuckGo]].<ref name="top1000">{{cite web
| url = https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
| title = heartbleed-masstest/top1000.txt
| date = April 8, 2014
| website = [[GitHub]]
| accessdate = April 9, 2014
}}</ref><ref>{{cite web |last=Cipriani |first=Jason |title=Which sites have patched the Heartbleed bug? |url= http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/ |date=April 10, 2014 |website= [[CNET]] |accessdate=April 10, 2014 }}</ref>
 
[[Theo de Raadt]], founder and leader of the [[OpenBSD]] and [[OpenSSH]] projects, has criticized the OpenSSL developers for explicitly circumventing OpenBSD [[C standard library]] exploit countermeasures, saying "OpenSSL is not developed by a responsible team."<ref>{{cite web|url=http://it-beta.slashdot.org/story/14/04/10/1343236/theo-de-raadts-small-rant-on-openssl |title=Theo De Raadt's Small Rant On OpenSSL - Slashdot |publisher=It-beta.slashdot.org |date= |accessdate=2014-04-11}}</ref><ref>{{cite web|url=http://article.gmane.org/gmane.os.openbsd.misc/211963 |title=Re: FYA: http: heartbleed.com |publisher=Gmane |date= |accessdate=2014-04-11}}</ref>
 
The author of the bug, Robin Seggelmann,<ref>{{cite web|author=Lia Timson |url=http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html |title=Who is Robin Seggelmann and did his Heartbleed break the internet? |publisher=Smh.com.au |date= |accessdate=2014-04-11}}</ref> stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation.<ref>{{cite news
| title = Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately
| url = http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
| publisher = [[The Sydney Morning Herald]]
| date = April 11, 2014
| accessdate = April 11, 2014
}}</ref>
 
==Affected websites and services==
===Announcements===
The following sites have services affected or made announcements recommending that users update passwords in response to the bug:
{{col-list|2|
*[[Akamai Technologies]]<ref>{{cite news
| title = Heartbleed FAQ: Akamai Systems Patched
| url = https://blogs.akamai.com/2014/04/heartbleed-faq-akamai-systems-patched.html
| publisher = [[Akamai Technologies]]
| date = April 8, 2014
| accessdate = April 9, 2014
}}</ref>
*[[Amazon Web Services]]<ref>{{cite news
| title = AWS Services Updated to Address OpenSSL Vulnerability
| url = https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/
| publisher = [[Amazon Web Services]]
| date = April 8, 2014
| accessdate = April 9, 2014
}}</ref>
*[[Ars Technica]]<ref>{{cite news
| title = Dear readers, please change your Ars account passwords ASAP
| url = http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/
| publisher = Ars Technica
| date = April 8, 2014
| accessdate = April 9, 2014
}}</ref>
*[[Bitbucket]]<ref>{{cite news
| title = All Heartbleed upgrades are now complete
| url = http://blog.bitbucket.org/2014/04/09/all-heartbleed-upgrades-are-now-complete/
| publisher = BitBucket Blog
| date = April 9, 2014
| accessdate = April 9, 2014
}}</ref>
*BrandVerity<ref>{{cite news
| title = Keeping Your BrandVerity Account Safe from the Heartbleed Bug
| url = http://blog.brandverity.com/2721/keeping-your-brandverity-account-safe-from-the-heartbleed-bug/
| publisher = BrandVerity Blog
| date = April 9, 2014
| accessdate = April 10, 2014
}}</ref>
*[[GitHub]]<ref>{{cite news
| title = Security: Heartbleed vulnerability
| url = https://github.com/blog/1818-security-heartbleed-vulnerability
| publisher = [[GitHub]]
| date = April 8, 2014
| accessdate = April 9, 2014
}}</ref>
*[[IFTTT]]<ref>{{cite news
| title = IFTTT Says It Is 'No Longer Vulnerable' To Heartbleed
| url = http://www.lifehacker.com.au/2014/04/ifttt-says-it-is-no-longer-vulnerable-to-heartbleed/
| publisher = [[LifeHacker]]
| date = April 8, 2014
| accessdate = April 9, 2014
}}</ref>
*[[PeerJ]]<ref>{{cite news
| title = The widespread OpenSSL ‘Heartbleed’ bug is patched in PeerJ
| url = http://blog.peerj.com/post/82185230692/the-widespread-openssl-heartbleed-bug-is-patched-in
| publisher = [[PeerJ]]
| date = April 9, 2014
| accessdate = April 9, 2014
}}</ref>
*[[SoundCloud]]<ref>{{cite news
| url =http://blog.soundcloud.com/2014/04/09/heartbleed/
| title =Security Update: We’re going to sign out everyone today, here’s why
|last=Codey|first=Brendan
|date=April 9, 2014|publisher=[[SoundCloud]]|accessdate=April 9, 2014
}}</ref>
* [[SourceForge]]<ref>{{cite news
| url =https://sourceforge.net/blog/sourceforge-response-to-heartbleed/
| title =Sourceforge response to heartbleed
|last=Codey|first=Brendan
|date=April 10, 2014|publisher=[[SoundCloud]]|accessdate=April 10, 2014
}}</ref>
*[[SparkFun]]<ref>{{cite news
| url =https://www.sparkfun.com/news/1455
| title =Heartbleed
|date=April 9, 2014|publisher=[[SparkFun]]|accessdate=April 9, 2014
}}</ref>
*[[Stripe (company)]]<ref>{{cite news
| title = Heartbleed
| url = https://stripe.com/blog/heartbleed
| publisher = [[Stripe (company)]]
| date = April 9, 2014
| accessdate = April 10, 2014
}}</ref>
*[[Tumblr]]<ref>{{cite web|url=http://staff.tumblr.com/post/82113034874/urgent-security-update|title=Tumblr Staff-Urgent security update|date=April 8, 2014|accessdate=April 9, 2014}}</ref><ref name="Hern 2014">{{cite news
| title = Heartbleed: don't rush to update passwords, security experts warn
| first = Alex
| last = Hern
| url = http://www.theguardian.com/technology/2014/apr/09/heartbleed-dont-rush-to-update-passwords-security-experts-warn
| publisher = ''[[The Guardian]]''
| date = April 9, 2014
| accessdate = April 9, 2014
}}</ref>
*[[Wattpad]]
*[[Wikimedia]] (including Wikipedia)<ref name="wikimedia" /><ref>{{cite web|url=https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/|title=Wikimedia's response to the "Heartbleed" security vulnerability|last=Grossmeier|first=Greg|date=April 10, 2014|work=Wikimedia Foundation blog|publisher=Wikimedia Foundation|accessdate=10 April 2014}}</ref>
*[[Wunderlist]]<ref>{{cite web|url=http://support.wunderlist.com/customer/portal/articles/1508382-sync-service-heartbleed---8th-of-april-2014|title=Wunderlist & the Heartbleed OpenSSL Vulnerability|date=April 10, 2014}}</ref>
}}
 
[[LastPass Password Manager]] was not vulnerable, due its use of [[forward secrecy]], but it recommended users change passwords that LastPass stored for vulnerable websites.<ref>{{cite news
| title = LastPass and the Heartbleed Bug
| url = http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
| publisher = [[LastPass]]
| date = April 8, 2014
| accessdate = April 10, 2014
}}</ref>
 
[[LogMeIn]] claimed to have "updated many products and parts of our services that rely on OpenSSL".<ref name="logmein">{{cite news
| title = LogMeIn and OpenSSL
| url = http://blog.logmein.com/products/openssl
| publisher = [[LogMeIn]]
| date =
| accessdate = April 10, 2014
}}</ref>
 
==Affected software applications==
* [[IPCop]] 2.1.4 was released on April 8, 2014 with a fix for "the OpenSSL library everybody is talking about".<ref name="ipcop">{{cite web |url=http://marc.info/?l=ipcop-announce&m=139697815506679 |title=IPCop 2.1.4 is released |author=IPCop |authorlink=IPCop |date=8 April 2014 |publisher=[[SourceForge]] [[electronic mailing list]]s |id=139697815506679 |accessdate=11 April 2014}}</ref>
* [[LibreOffice]] 4.2.3 was released on April 10, 2014 with a fix for CVE-2014-0160<ref name="libreoffice">{{cite web |url=http://blog.documentfoundation.org/2014/04/10/libreoffice-4-2-3-is-now-available-for-download/ |title=LibreOffice 4.2.3 is now available for download |author=italovignoli |date=10 April 2014 |website=[[The Document Foundation]] |archiveurl=http://web.archive.org/web/20140412013421/http://blog.documentfoundation.org/2014/04/10/libreoffice-4-2-3-is-now-available-for-download/ |archivedate=12 April 2014 |deadurl=no |accessdate=11 April 2014}}</ref>
* [[LogMeIn]] claimed to have "updated many products and parts of our services that rely on OpenSSL".<ref name="logmein"/>
 
==National Security Agency exploitation==
[[Bloomberg News]] reported that the [[United States]]' [[National Security Agency]] regularly exploited the bug to gather [[Intelligence assessment|intelligence]], and has been aware of the bug for at least two years. <ref name="bloomberg"/><ref>{{cite web|url=http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/ |title=Report: NSA exploited Heartbleed for years |publisher=Usatoday.com |date= |accessdate=2014-04-11}}</ref><ref>{{cite web|url=http://business.financialpost.com/2014/04/11/nsa-exploited-heartbleed-bug-for-two-years-to-gather-intelligence-sources-say/?__lsa=bafb-de4a |title=NSA exploited Heartbleed bug for two years to gather intelligence, sources say &#124; Financial Post |publisher=Business.financialpost.com |date= |accessdate=2014-04-11}}</ref>
 
==Fix==
The bug is classified as a buffer over-read,<ref>{{cite web|url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |title=CVE - CVE-2014-0160 |publisher=Cve.mitre.org |date= |accessdate=April 10, 2014}}</ref> a situation where software allows more data to be read than should be allowed.<ref>{{cite web|url=http://cwe.mitre.org/data/definitions/126.html |title=CWE - CWE-126: Buffer Over-read (2.6) |publisher=Cwe.mitre.org |date=February 18, 2014 |accessdate=April 10, 2014}}</ref>
 
Version 1.0.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. For example, the test
<source lang="c">
if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */
</source>
has been added in front of the line
<source lang="c">
pl = p;
</source>
A complete list of changes is available at [http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902 git.openssl.org].<ref>{{cite web|url=http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902 |title=Git - openssl.git/commitdiff |publisher=Git.openssl.org |date=April 5, 2014 |accessdate=April 10, 2014}}</ref>
 
Although patching software (the OpenSSL library and any [[Static library|statically linked]] binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:<ref>{{cite web|url=http://haydenjames.io/patched-servers-remain-vulnerable-heartbleed-openssl/ |title=Patched Servers Remain Vulnerable to Heartbleed OpenSSL &#124; Hayden James |publisher=Haydenjames.io |date= |accessdate=April 10, 2014}}</ref>
* all possibly compromised private key-public key pairs must be regenerated,
* all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
* all passwords on the possibly compromised servers need to be changed.
 
==Testing for vulnerabilities==
Several services were made available to test whether the Heartbleed bug was present on a given site, including:
* Heartbleed testing tool by a European IT security company<ref>{{cite web|url=http://possible.lv/tools/hb/ |title=Heartbleed OpenSSL extension testing tool, CVE-2014-0160 |publisher=Possible.lv |date= |accessdate=2014-04-11}}</ref>
* Heartbleed Scanner by Italian cryptologist Filippo Valsorda<ref>[http://filippo.io/Heartbleed Heartbleed Scanner]" by Italian cryptologist Filippo Valsorda</ref>
* [[Metasploit]] Heartbleed scanner module<ref>[[Metasploit Project|Metasploit]] [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb module]</ref>
* Heartbleed Server Scanner by Rehmann<ref>[http://rehmann.co/projects/heartbeat Heartbleed Server Scanner] by Rehmann</ref>
* [[Lookout Mobile Security]] Heartbleed Detector, an app for [[Android (operating system)|Android]] devices that determines the OpenSSL version of the device and indicates whether the vulnerable heartbeat is enabled<ref>{{cite web|url=https://blog.lookout.com/blog/2014/04/09/heartbleed-detector/ |title=Heartbleed Detector: Check If Your Android OS Is Vulnerable with Our App |publisher=[[Lookout Mobile Security]] blog |date=April 9, 2014 |accessdate=April 10, 2014}}</ref>
* Heartbleed checker hosted by [[LastPass]]<ref>{{cite web|url=https://lastpass.com/heartbleed/ |title=Heartbleed checker |publisher=LastPass |date= |accessdate=2014-04-11}}</ref>
* Network range scanner for Heartbleed vulnerability by a security testing company <ref>{{cite web|url=https://pentest-tools.com/vulnerability-scanning/openssl-heartbleed-scanner/ |title=OpenSSL Heartbleed vulnerability scanner :: Online Penetration Testing Tools &#124; Ethical Hacking Tools |publisher=Pentest-tools.com |date= |accessdate=2014-04-11}}</ref>
* Official offline scanner in Python from Redhat {{cite web|url=https://access.redhat.com/labs/heartbleed/heartbleed-poc.py|title=https://access.redhat.com/labs/heartbleed/heartbleed-poc.py}}
* [[Qualys]] SSL Labs' [https://www.ssllabs.com/ssltest/ SSL Server Test] which not only looks for the Heartbleed bug, but can also find other insecure SSL/TLS implementation errors like supporting the totally broken SSL2, insecure renegotiation, and weak ciphers.
* Browser extensions, such as [https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic Chromebleed] and [https://addons.mozilla.org/en-US/firefox/addon/foxbleed/ FoxBleed].
 
Other security tools have added support for finding this bug. For example, [[Sourcefire]] has released [[Snort (software)|Snort]] rules to detect Heartbleed attack traffic and possible Heartbleed response traffic.<ref>{{cite web|url=http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html |title=VRT: Heartbleed Memory Disclosure - Upgrade OpenSSL Now! |date=April 8, 2014 |accessdate=April 11, 2014}}</ref> [[Tenable Network Security]] wrote a plugin for its [[Nessus (software)|Nessus]] vulnerability scanner that can scan for this fault.<ref>{{cite web|url=http://www.tenable.com/blog/tenable-facilitates-detection-of-openssl-vulnerability-using-nessus-and-nessus-perimeter |title=Tenable Facilitates Detection of OpenSSL Vulnerability Using Nessus and Nessus Perimeter Service |first=Jeffrey |last=Mann |publisher=[[Tenable Network Security]] |date= April 9, 2014 |accessdate= April 11, 2014}}</ref>
 
==References==
{{Reflist|30em}}
 
==External links==
{{wikiversity|Managing risk from cyber attacks}}
{{Refbegin}}
* [http://www.queryhome.com/40208/heartbleed-passwords-encryption-encrypted-communication Heartbleed BUG in OPENSSL]
* [http://heartbleed.com/ Summary and Q&A about the bug, ] – by [[Codenomicon]] Ltd
* [http://vimeo.com/91425662 Video (08:40) - Explanation of the Heartbleed bug]
* [http://securitywatch.pcmag.com/hacking/322494-heartbleed-fallout-change-all-your-passwords PCMAG - Change Your Passwords]
* [http://www.hnkcnews.com/2014/04/09/heartbleed-bug-poses-major-threat-to-user-data/ 'Heartbleed' Bug: The Most Serious Bug in Recent Years ]
*[http://www.wired.com/2014/04/nsa-heartbleed/ Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?]—''[[Wired (website)|Wired]]'' (April 10, 2014)
{{Refend}}
 
[[Category:Computer security exploits]]
[[Category:Software bugs]]
"https://sa.wikipedia.org/wiki/सदस्यः:Kriyear/प्रयोगपृष्ठम्" इत्यस्माद् प्रतिप्राप्तम्