Heartbleed Vulnerability

The Heartbleed vulnerability was caused by a progamming error in the popular "openSSL" cryptographic software library. OpenSSL is a core member of most operating systems especially web servers.

Among other things, openSSL is used in SSL browser encryption, SSL email software encryption, and secure shell access. More below ..

Heartbleed
Suppose you go to a site and enter your credit card information on a websote using your browser. When you enter this information, a secure tunnel is created between you and the software vendor. You know it is encrypted because it is an https request and not a regular unencrypted http request. This means that when you send out your credit card information, it is encypted, so that nobody can see it.

The browser encryption is the most important area of this exploit, because attackers can theoretically get the private and public keys of the server's encryption, so if you, for example, enter a credit card number, a third party can eavsdrop on what you thought was a secure connection, and possibly get your credit card information. This is also true with other types of websites such as government identification websites such as the Canadian Revenue Agency.

The heart bleed vulnerability compromises encryption, and the names and passwords of the users and the actual content, thus attackers can eavesdrop on connections and thereby, steal information and impersonate services and users. Identification, and financial information are vulnerable in this area.

The Exposure by DOMAINSunder was short. We only started to use the versions of software that could be vulnerable in the past 4 months, and our financial gateway was never affected. Thus the only possible breach of security would have been user's control panel passwords, and we have not seen any indications, that any breach occurred in this area.

If you have any questions regarding heart bleed, please contact us.
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Phone scam

DOMAINSunder is notifing all domain name customers of a recent phone call security scam using the...