Study shows Heartbleed bug can be used to access a server's private keys


Just over a week has passed since the Heartbleed bug incident was brought to light and the implications of this seemingly innocuous flaw have gotten worse by the day.

 

The fear that the Heartbleed bug could not spare even highly secured severs and expose the confidential information could come true if a report on PCWorld is to be believed.

 

This comes after researchers successfully accessed the private keys of a server exploiting the Heartbleed bug. This was a part of a challenge setup by a San Francisco-based online security company CloudFlare to find out whether hackers can access private keys of a server using the Heartbleed bug present in the OpenSSL cryptographic library. The private keys are used to ensure that communication channels between a user and the website are encrypted, referred to as SSL/TLS (Secure Sockets Layer/Transport Security Layer).

 

Until now security experts were not sure whether the Heartbleed bug can be used to gain access to a server’s private keys. This challenge was setup to find out exactly that. Cloud Flare set up a server which had to be hit upon by researchers using only the Heartbleed bug. This server ran on nginx-1.5.13 web server software that was using a vulnerable OpenSSL version 1.0.1.f on a 64-Bit x86 Ubuntu 13.10 system.

 

Fedor Idutny, a Russian researcher, was the first person who successfully gained access to the server’s private keys. Another researcher who was successful was llkka Matilla of National Cyber Security Centre in Finland. In a post on company’s blog Nick Sullivan says, “We confirmed that all individuals used only the Heartbleed exploit to obtain the private key.”

 

A security certificate comes with private keys which verify that a client computer is not connecting with a fake website that is pretending to be genuine. You can find a lock in the left most part of the address bar when your system is accessing a secure and trusted website. Such certificates are widely used by e-commerce sites and banks. But using Heartbleed an attacker can fake a certificate and thus trick the user into diverting information to the attacker's server. Besides this, all traffic can now be easily decrypted by the hacker, thanks to them having possession of the private keys.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.