Se ha hablado mucho esta semana de una nueva accidental manera de seguridad no cubierta en el Internet y no nos extraña que alguno de tus conocidos servicios de Internet como redes sociales, banca, servicios con pagos, etc. ya hayan hecho acercamiento contigo para dejarte saber que medidas toman o confirmar si estuvieron afectados o no, pero ¿tienes una idea de que se trata?
Todo empezó con un reporte de Google Security esta misma semana, donde Neel Mehta reportó que OpenSSL tiene un fallo en donde se afecta el manejo de memoria en la implementación del layer de seguridad de TLS usado en la mayoria de clientes de email para tomar un ejemplo, provocando que 64 kilobytes de la memoria de la extensión Heartbleed de TLS que puede incluir hasta información de usuarios y de ahí su nombre de Heartbleed.
Lo terrible de todo es que se averiguó que la falla lleva en existencia desde el 2011 pero no fue masivo hasta que todos los programadores con protocolo de Internet actualizaron a la versión OpenSSL 1.0.1 en el 2012.
El impacto es de tal manera, que mediante la lectura de un bloque arbitrario de la memoria del servidor web, los atacantes podrían recibir datos sensibles que pudieran estar incluidos en esos bloques de 64 kilobytes, lo que compromete la seguridad del servidor y sus usuarios. Datos vulnerables incluyen la clave del servidor principal privado, lo que permitiría a los atacantes para descifrar el tráfico actual o almacenada a través de ataques pasivos o activos como man-in-the-middle, si se utiliza confidencialidad directa perfecta. El atacante no puede controlar los dates que se devuelven ya que el servidor responde con un trozo aleatorio de su propia memoria.
El siguiente es una lista gracias a CNET que documenta las páginas y servicios que pudieran estar afectados y si las empresas ya resolvieron:
Site Qualys Confirmation from site Pass Vulnerability patched. Password change recommended Pass Vulnerability patched. Password change recommended YouTube Pass Vulnerability patched. Password change recommended Yahoo! Pass Vulnerability patched. Password change recommended Amazon Pass Was not vulnerable Wikipedia Pass Vulnerability patched. Password change recommended Pass Was not vulnerable eBay Pass Was not vulnerable Pass Was not vulnerable Craigslist Pass Awaiting response Bing Pass Vulnerability patched. Password change recommended Pass Vulnerability patched. Password change recommended Blogspot Pass Vulnerability patched. Password change recommended CNN Be on alert Awaiting response Live Pass Was not vulnerable PayPal Pass Was not vulnerable Pass Vulnerability patched. Password change recommended Tumblr Pass Vulnerability patched. Password change recommended Espn.go.com Pass Vulnerability patched. Password change recommended WordPress Pass Awaiting response Imgur Pass Awaiting response Huffington Post Not available Awaiting response Pass Vulnerability patched. Password change recommended MSN Pass Was not vulnerable Netflix Pass Vulnerability patched. Password change recommended Weather.com Not available Vulnerability patched. Password change recommended IMDb Not available Was not vulnerable Yelp Pass Vulnerability patched. Password change recommended Apple Pass Was not vulnerable AOL Pass Awaiting response Microsoft Pass Was not vulnerable NYTimes Pass Awaiting response Bank of America Pass Was not vulnerable Ask Not available Was not vulnerable Fox News Pass Was not vulnerable Chase Pass Was not vulnerable GoDaddy Pass Vulnerability patched. Password change recommended About Not available Was not vulnerable BuzzFeed Pass Awaiting response Zillow Pass Was not vulnerable Wells Fargo Pass Was not vulnerable Etsy Pass Vulnerability patched. Password change recommended XVideos Be on alert Awaiting response Walmart Pass Was not vulnerable CNET Pass Was not vulnerable Pandora Pass Was not vulnerable xHamster Pass Awaiting response PornHub Pass Awaiting response Comcast Pass Awaiting response Stack Overflow Pass Vulnerability patched. Password change recommended Salesforce Pass Was not vulnerable Daily Mail Be on alert Awaiting response Vimeo Pass Vulnerability patched. Password change recommended Conduit Pass Awaiting response Flickr Pass Vulnerability patched. Password change recommended Zedo Not available Was not vulnerable Forbes Not available Was not vulnerable LiveJasmin Be on alert Awaiting response USPS Pass Vulnerability patched. Password change recommended Indeed Pass Awaiting response Hulu Pass Was not vulnerable Answers Pass Was not vulnerable HootSuite Pass Was not vulnerable Amazon Web Services Pass Awaiting response Adobe Pass Awaiting response Blogger Pass Vulnerability patched. Password change recommended Dropbox Pass Vulnerability patched. Password change recommended Reference.com Not available Was not vulnerable AWeber Pass Was not vulnerable UPS Pass Was not vulnerable Intuit Pass Awaiting response NBC News Pass Awaiting response USA Today Pass Was not vulnerable Outbrain Pass Vulnerability patched. Password change recommended The Pirate Bay Pass Awaiting response The Wall Street Journal Pass Awaiting response Bleacher Report Pass Awaiting response Constant Contact Pass Was not vulnerable Wikia Pass Vulnerability patched. Password change recommended CBSSports Pass Was not vulnerable Publishers Clearing House Pass Awaiting response Washington Post Not available Vulnerability patched. Password change recommended Target Pass Was not vulnerable Drudge Report Be on alert Awaiting response TripAdvisor Pass Was not vulnerable FedEx Pass Was not vulnerable Capital One Pass Was not vulnerable wikiHow Not available Was not vulnerable Googleusercontent.com Pass Vulnerability patched. Password change recommended Groupon Pass Was not vulnerable Best Buy Pass Awaiting response AT&T Pass Awaiting response Home Depot Pass Awaiting response Trulia Not available Was not vulnerable TMZ Pass Awaiting response Feedbin Pass Vulnerability patched. Password change recommended Pinboard Pass Vulnerability patched. Password change recommended GetPocket Pass Vulnerability patched. Password change recommended IFTTT Pass Vulnerability patched. Password change recommended ManageWP Pass Was not vulnerable PayScale Pass Was not vulnerable
Por su parte, Google reclamó que ya aplicaron los arreglos necesarios para Search, Gmail, YouTube, Wallet, Play, Apps y App Engine, mientras que otros servicios están en proceso y lo mejor de todo es que Chrome y Chrome OS no están afectados.
