Learn Why Analyst Firm Ovum Names SugarCRM a Leading CRM

 Learn Why Analyst Firm Ovum Names SugarCRM a Leading CRM
Download Now

"An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications. It can practically
be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting
the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in
most cases."


Yl?nen said that about two-thirds of the world's Websites use the encryption library affected by the vulnerability, which is OpenSSL 1.0.1. Any of those
sites could have been compromised. He said that these include major commerce sites, social networking and banking sites.
 Because the encryption keys themselves may have been stolen from compromised Websites, the importance of keeping keys safe is underscored. Unless the keys
were kept secure and encrypted, the chance that they could be stolen during a breach is high, according to Richard Mould, vice president of Strategy for
Thales e-Security.
 "Once again the importance of sound key management has been brought into sharp focus," Mould told eWEEK. "The Heartbleed bug found in OpenSSL, one of the
most common means of encrypting data on the internet, increases the risk that encryption keys can be stolen. An attacker that can access these keys can
decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed. Updating keys is expensive and
time consuming and the impact of a loss can be very damaging."
Yl?nen said that once the SSL encryption had been broken, it's likely that passwords normally protected by SSL had also been compromised.