There's yet another problem with OpenSSL, the safety feature guarding our private Web communication. It's targets the handshake between your computer and a website. NEW YORK (CNNMoney)
You can call this one the "handshake bug."
Computers and Web servers initiate secure conversations with one another in a process known as a "handshake." But this week, security researchers discovered a flaw in the way they shake hands. The bug allows a hacker operating between you and a website -- say, connected to the same public Wi-Fi network -- to snoop in on your Internet session.
Here's the good news: The handshake bug isn't as devastating as Heartbleed. The only major browsers it affects are for Google's Android mobile operating system. And for a hacker to exploit the bug, you and the website must both be running vulnerable versions of the encrypting software, known as OpenSSL.
But it's yet another wake up call that your Internet security relies on a few volunteers. The OpenSSL Foundation is a tiny team of computer programmers that only recently started getting additional financial support from many companies that rely on this software. The Linux Foundation said OpenSSL has received about half of the $5.4 million that companies have donated so far to the Core Infrastructure Initiative, an effort to better secure the Internet.
In fact, many security researchers say the only reason we spotted the handshake bug is because, post-Heartbleed, more volunteers are combing through the OpenSSL computer code. The world can thank Masashi Kikuchi, a software security expert at the small Japanese consulting firm Lepidum who decided to look through the code himself.
"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient," Kikuchi wrote in a blog post.
Related story: Fast in-flight Wi-Fi coming to Europe
The bug has been fixed, and now it's up to Web browser makers and website servers to update their systems. According to Adam Langley, a senior researcher at Google (GOOG), these Web browsers are safe:
- Internet Explorer
- Firefox
- Chrome (for desktop, iOS)
- Safari
According to Qualys (QLYS) engineering director Ivan Ristic, these browsers are vulnerable:
- Android
- Chrome (for Android)
"We shouldn't be surprised that there are more flaws in OpenSSL," said Jean Taggart, a researcher at antivirus maker Malwarebytes. "Security is a process, not a product."
And if you're still worried about the handshake bug? Keep yourself clean. Don't use strangers' Wi-Fi.
First Published: June 6, 2014: 2:10 PM ET
Anda sedang membaca artikel tentang
Heartbleed Part 2: The handshake bug
Dengan url
https://brokolsayuransehat.blogspot.com/2014/06/heartbleed-part-2-handshake-bug.html
Anda boleh menyebar luaskannya atau mengcopy paste-nya
Heartbleed Part 2: The handshake bug
namun jangan lupa untuk meletakkan link
Heartbleed Part 2: The handshake bug
sebagai sumbernya
0 komentar:
Posting Komentar