WORLD
Common Web Encryption Tool Is Flawed, Researchers Say
Baku, April 9 (AZERTAC). An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes.
The bug, nicknamed Heartbleed by researchers at Google Inc. and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said.
On Tuesday, website operators, including Yahoo Inc., YHOO +2.30% raced to fix the problem. A Yahoo spokeswoman said the company had "made the appropriate corrections." Several researchers said earlier that they had been able to capture Yahoo usernames and passwords. Many other major websites, such as Google, Amazon.com Inc. AMZN +2.93% and eBay Inc., EBAY +3.49% appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc. QLYS +1.66%
The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops.
Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. When a website is using these forms of encryption, a padlock appears with the Web address in a browser.
Web servers that use the affected versions of the code store some data unprotected in memory. Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.
"Anyone can reach out to the Internet and scoop out of the data," said Thomas Ptacek, a researcher at Matasano Security in Chicago. "I can be in my office here. I can be in Estonia."
Writing encryption code is complex, so many website operators tap OpenSSL, which is free. It was created in the late 1990s by developers who wanted an easy-to-use encryption scheme for Internet traffic. Its website is bare bones, as are its finances.
Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.
"There's no question more effectively applied manpower would be a good thing," said Mr. Marquess, 59 years old. "Formal code audits would be a good thing."
Mr. Marquess, a former Defense Department consultant who works in Maryland, is the project's only U.S. resident. The other coders are based in Europe to avoid export laws for advanced encryption.
Still, OpenSSL has become synonymous with online encryption. The Defense Department and Department of Homeland Security use OpenSSL, Mr. Marquess said. On its website, Amazon suggests that customers of its Amazon Web Services remote-computing service use OpenSSL when adding encryption to their webpages.
In a blog post, Amazon said it expected to have mitigated the issue for all AWS users by the end of Tuesday.
Ivan Ristic, a Serbian researcher for Qualys, spent much of Monday creating a tool to test whether a website is affected. Traffic to Mr. Ristic's webpage was up seven-fold Tuesday as Web users checked the security status of various websites, he said.
The researchers said the bug had existed in the encryption code for roughly two years. They pointed users to a patch and explained how website operators can protect themselves and their users.
Much of the Internet appeared to be caught off guard by the disclosures.
"If you need strong anonymity or privacy," Roger Dingledine, president of the Tor Project, a web service used to obscure Internet users' identity, wrote in a blog post, "you might want to stay away from the Internet entirely for the next few days while things settle."