Heartbleed安全漏洞动摇互联网根基

    周一下午，网上曝出了更多关于互联网有史以来最大漏洞的细节。这个漏洞叫做Heartbleed（意为“心在滴血”）。本周各大主流网络公司纷纷手忙脚乱地给自己的系统打补丁，而且黑客们可能已经利用这个漏洞攫取了成百上千万用户的数据。这个漏洞已经存在两年多了，而且没有留下任何可疑活动的迹象。有人估计，自2011年以来，Heartbleed已经导致整个网络的三分之二陷入风险。

    Heartbleed影响的是OpenSSL，后者是用于网络数据加密的一项关键技术。Heartbleed允许网络攻击者从运行这个软件的服务器获取包括用户名、密码、信用卡详细资料等在内的敏感信息。虽然谷歌、微软以及苹果等公司使用的不是OpenSSL，但不计其数大大小小的公司普遍都采用了这项技术。

    利用Heartbleed漏洞的黑客可以从一个服务器上随机“钓”到大量的数据。虽然每次“钓鱼”攫取的数据相对较少，但是这个程序却可以一遍又一遍地重复，而且不留下任何入侵痕迹。黑客获得的数据可能包括用户的登陆信息、私人信息、电子邮件，甚至是加密密钥。这些密钥尤其重要，因为黑客有了它之后便可以成功伪造出一个山寨的网站，谁都看不出来它是假的。

    调查记者、网络安全调查专家布莱恩•克雷布斯已经针对这个漏洞发表了一篇深度报道。他告诉《财富》杂志：“攻击者可以窃取‘王国的钥匙’——也就是网站用来加密和解密访客所有通讯信息的密钥。由于互联网大范围地存在这个漏洞，因此它具有很高的危险性。虽然现在存在漏洞的网站可能不到50万个，但是其中很多网站都有几百万甚至几亿用户。”

    克雷布斯表示，网上已经有了可以用来检测Heartbleed漏洞的工具。包括雅虎、Flickr、OKCupid、Zoho、500px、Imgur在内的许多大型门户网站都存在这个漏洞，甚至连FBI的官网也未能幸免。到本周三早上，许多网站已经开始修补这个漏洞。雅虎表示已经开始对旗下的大部分网站进行升级。另外电子邮件服务器和即时通讯工具也存在同样的风险。

    对于任何一家在网络上占有一席之地并且使用OpenSSL工具的人来说，首当其冲的要务就是紧急升级网站和打补丁——或者紧急给相关的网站托管公司打电话让他们解决这个问题。虽然最新版本的OpenSSL已经修补了Heartbleed，但更新安全证书和重新设置加密密钥这样一个漫长而复杂的过程仍然是必要的。就算等到这个漏洞彻底消除，我们也没法知道在此之前已经丢失了多少信息。我们将在未来许多年里都能感受到Heartbleed的余威。

    克雷布斯说：“本周许多互联网用户可能从多个网站那里接到了不只一次请他们更改密码的要求。很多受到影响的网站的管理员在打好补丁后，还得更换他们自己的OpenSSL的密钥和安全证书。另外，由于很多网站都没有留下任何入侵痕迹，因此为了安全起见，这些网站也会建议用户更改登陆密码。”

    用户除了静待受影响的网站升级完毕之外，没什么可做的了。重设密码虽然有用，但是首先还得等那些网站升级完毕才管用。另外就是一些常识性的安全事项还得老调重弹——要密切注意自己的信用卡账单，留意可疑的网上活动。

    克雷布斯还补充树：“人们经常开玩笑说，‘噢，或许我们应该离互联网远一点，’以应对某些特定的网络威胁。我认为这回它可能并不是个坏主意。如果你正好登陆了一个存在风险的网站，那么你的授权被黑客窃取的可能性应该说是不小的……问题是终端用户现在仍然不清楚哪些网站是安全的，哪些网站是有风险的。”

    这个漏洞最早是由一批为谷歌和科诺康工作的编程人员发现的，他们在网上发布了一个信息页面。由于这个漏洞利用了OpenSSL的一个常用扩展工具Heartbeat，因此他们把这个漏洞命名为“Heartbleed”。他们在声明中说：“大家常用的热门社交网站、大家公司的网站、商业网站、兴趣网站、大家下载安装软件的网站，甚至连由政府运作的网站，可能都在使用存在风险的OpenSSL。”

    本周全球的IT经理们都在火速升级自己的系统，同时祈祷不要有人利用Heartbleed干什么坏事。至于什么是最值得担忧的部分，他们或许永远都不会知道了。（财富中文网）

    译者：朴成奎

    Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the web has been at risk since 2011.

    Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google, Microsoft and Apple, it's a popular choice for countless companies large and small.

    A hacker making use of the Heartbleed vulnerability can "fish" for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach. The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn't genuine.

    Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: "Attackers can steal the 'keys to the kingdom,' as it were -- the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users."

    Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo, Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place -- as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.

    For any company that has a presence on the web and uses OpenSSL, this means an urgent round of upgrading and patching -- or an urgent call to the relevant web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there's no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.

    "Many Internet users will probably be asked at least once this week to change their passwords at various sites," Krebs says. "Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leaves few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well."

    As far as end users are concerned, there's not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches -- keeping a close eye on credit card bills and watching for suspicious activity online -- are among the best steps to staying safe.

    "People often joke that 'Oh, perhaps we should stay off the Internet' in response to certain threats, but in this case I think that may not be a horrible idea," Krebs says. "If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it's not readily apparent to the end user which sites are fine and which are still vulnerable."

    The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability "Heartbleed" because it takes advantage of a common OpenSSL extension called Heartbeat. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," warns the announcement.

    This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.