Category Archives: Website Security

Heartbleed Vulnerability and You – A Patch Guide

Recently, the Heartbleed Bug (CVE-2014-0160), a serious vulnerability in the popular OpenSSL cryptographic software library was discovered. This is a very serious vulnerability which captures all SSL/TLS encrypted information, such as login details, email correspondence, instant messages, etc. It affected servers all over the world including huge international companies. More information about it can be found using the links below:

https://www.openssl.org/news/secadv_20140407.txt
Heartbleed Bug
You can also Test your server for Heartbleed (CVE-2014-0160).

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Continue reading

Secure Sockets Layer (SSL) and You

Do you ever see that little lock symbol in the address bar of your browser and wonder exactly what it’s doing? How does this “SSL” protect your data? I’m going to tell you a little story that will help understanding Secure Sockets Layer encryption a little easier.

Let’s say you have something you want to send the server over the internet that you don’t want prying eyes to have – a credit card number for example. If you just send it in plain text, anyone sitting out there with a packet sniffer monitoring traffic can find it, read it, and buy that new 50” LED TV they’ve been wanting… compliments of you! That’s where SSL comes in to play.

SSL requires a few things to work. First – there’s the box. This box will serve as the vessesslkeysl to transport your secure data back and forth. But sending stuff in a box won’t make any difference if it’s not locked! To fix that, both the server and yourself generate two keys that can either unlock or lock the box: a private key and a public key. In order to get the ball rolling, you and the server trade public keys. The trick here? The public key is only used to lock the box, so we aren’t concerned with the bad guys getting it. The only way to unlock the box is with our private keys, which never touch the network.

Continue reading