被稱為"HeartBleed心臟流血"的加密技術漏洞已儼然成為史上最嚴重的網路安全威脅之一。在4/7晚間,Google和芬蘭網路安全公司Codenomicon公開一項重大消息:OpenSSL軟體被發現存在程式臭蟲,可能導致個人資料外洩。而全球大約有三分之二網路伺服器均使用OpenSSL。以下是CNET所提供,你應該了解的重要事項:
What is OpenSSL?
Let's start with SSL. That stands for Secure Sockets Layer, but it's also known by its new name, Transport Layer Security, or TLS. It's the most basic means of encrypting information on the Web, and it mitigates the potential of someone eavesdropping on you as you browse the Internet. (Notice the "https" in the URL of SSL-enabled sites like Gmail, instead of simply "http.")
何謂openSSL?
先從SSL開始。它代表的是(Secure Sockets Layer)安全插槽層協議,新名稱是TLS(Transport Layer Security)傳輸層安全協議。它是加密網路信息最基礎的方法,並能降低當你瀏覽網路時遭人竊取資料的風險。(網址顯示https而非http為採用SSL加密的網站,如Gmail)
Why is it called Heartbleed?
Heartbleed is a play on words referring to an extension on OpenSSL called "heartbeat." The protocol is used to keep connections open, even when data isn't being shared between those connections.
為何叫Heartbleed ?
其實是對OpenSSL的附加協議“heartbeat”玩文字遊戲。該協議是用於保持網路兩端連結開啟,即使在之間並無資料傳輸時。
How does the bug work?
The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also "cookie" data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site's private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.
臭蟲的危害之處?
這項漏洞讓駭客最多可存取64KB的伺服器記憶體,但他可經由反覆攻擊獲取大量資訊。這表示駭客不僅能竊取使用者名稱和密碼,網路伺服器及瀏覽器用來追蹤並幫助用戶登入的"cookie"檔案也可能落入他們的魔掌 。Electronic Frontier Foundation電子前線基金會指出,經由反覆網路攻擊還可能取得更重要的資訊,譬如網站用來加密數據的專屬SSL金鑰。有了金鑰,駭客便可假冒該網站,並竊取其他如信用卡卡號、私人訊息等資訊。
Should I change my passwords?
For many Web sites, yes. BUT wait until you get confirmation from the Web site operator that the bug has been patched. It's a natural reaction to want to change all of your passwords immediately, but if the Web site's bug has not been fixed yet, making the change could be useless -- you're just potentially giving an attacker your new password.
我應該更改密碼嗎?
對許多網站而言,是的,但請等到網站經營者通知確認漏洞已修正。立即修改所有密碼確實是自然反應,但若網站漏洞尚未修正,更改密碼也是枉然 - 你只會讓駭客得知你的新密碼。
Should I be worried about my bank account?
Most banks don't use OpenSSL, but instead use proprietary encryption software. But if you're unsure, contact your bank directly for confirmation that the Web site is secure. Still, John Miller, security research manager for security and compliance firm TrustWave, suggests keeping a close eye on financial statements for the next few days to make sure there are no unfamiliar charges.
我應該擔心銀行帳戶外流嗎?
