????周一下午，網上曝出了更多關于互聯網有史以來最大漏洞的細節。這個漏洞叫做Heartbleed（意為“心在滴血”）。本周各大主流網絡公司紛紛手忙腳亂地給自己的系統打補丁，而且黑客們可能已經利用這個漏洞攫取了成百上千萬用戶的數據。這個漏洞已經存在兩年多了，而且沒有留下任何可疑活動的跡象。有人估計，自2011年以來，Heartbleed已經導致整個網絡的三分之二陷入風險。

????Heartbleed影響的是OpenSSL，后者是用于網絡數據加密的一項關鍵技術。Heartbleed允許網絡攻擊者從運行這個軟件的服務器獲取包括用戶名、密碼、信用卡詳細資料等在內的敏感信息。雖然谷歌、微軟以及蘋果等公司使用的不是OpenSSL，但不計其數大大小小的公司普遍都采用了這項技術。

????利用Heartbleed漏洞的黑客可以從一個服務器上隨機“釣”到大量的數據。雖然每次“釣魚”攫取的數據相對較少，但是這個程序卻可以一遍又一遍地重復，而且不留下任何入侵痕跡。黑客獲得的數據可能包括用戶的登陸信息、私人信息、電子郵件，甚至是加密密鑰。這些密鑰尤其重要，因為黑客有了它之后便可以成功偽造出一個山寨的網站，誰都看不出來它是假的。

????調查記者、網絡安全調查專家布萊恩?克雷布斯已經針對這個漏洞發表了一篇深度報道。他告訴《財富》雜志：“攻擊者可以竊取‘王國的鑰匙’——也就是網站用來加密和解密訪客所有通訊信息的密鑰。由于互聯網大范圍地存在這個漏洞，因此它具有很高的危險性。雖然現在存在漏洞的網站可能不到50萬個，但是其中很多網站都有幾百萬甚至幾億用戶。”

????克雷布斯表示，網上已經有了可以用來檢測Heartbleed漏洞的工具。包括雅虎、Flickr、OKCupid、Zoho、500px、Imgur在內的許多大型門戶網站都存在這個漏洞，甚至連FBI的官網也未能幸免。到本周三早上，許多網站已經開始修補這個漏洞。雅虎表示已經開始對旗下的大部分網站進行升級。另外電子郵件服務器和即時通訊工具也存在同樣的風險。

????對于任何一家在網絡上占有一席之地并且使用OpenSSL工具的人來說，首當其沖的要務就是緊急升級網站和打補丁——或者緊急給相關的網站托管公司打電話讓他們解決這個問題。雖然最新版本的OpenSSL已經修補了Heartbleed，但更新安全證書和重新設置加密密鑰這樣一個漫長而復雜的過程仍然是必要的。就算等到這個漏洞徹底消除，我們也沒法知道在此之前已經丟失了多少信息。我們將在未來許多年里都能感受到Heartbleed的余威。

????克雷布斯說：“本周許多互聯網用戶可能從多個網站那里接到了不只一次請他們更改密碼的要求。很多受到影響的網站的管理員在打好補丁后，還得更換他們自己的OpenSSL的密鑰和安全證書。另外，由于很多網站都沒有留下任何入侵痕跡，因此為了安全起見，這些網站也會建議用戶更改登陸密碼。”

????用戶除了靜待受影響的網站升級完畢之外，沒什么可做的了。重設密碼雖然有用，但是首先還得等那些網站升級完畢才管用。另外就是一些常識性的安全事項還得老調重彈——要密切注意自己的信用卡賬單，留意可疑的網上活動。

????克雷布斯還補充樹：“人們經常開玩笑說，‘噢，或許我們應該離互聯網遠一點，’以應對某些特定的網絡威脅。我認為這回它可能并不是個壞主意。如果你正好登陸了一個存在風險的網站，那么你的授權被黑客竊取的可能性應該說是不小的……問題是終端用戶現在仍然不清楚哪些網站是安全的，哪些網站是有風險的。”

????這個漏洞最早是由一批為谷歌和科諾康工作的編程人員發現的，他們在網上發布了一個信息頁面。由于這個漏洞利用了OpenSSL的一個常用擴展工具Heartbeat，因此他們把這個漏洞命名為“Heartbleed”。他們在聲明中說：“大家常用的熱門社交網站、大家公司的網站、商業網站、興趣網站、大家下載安裝軟件的網站，甚至連由政府運作的網站，可能都在使用存在風險的OpenSSL。”

????本周全球的IT經理們都在火速升級自己的系統，同時祈禱不要有人利用Heartbleed干什么壞事。至于什么是最值得擔憂的部分，他們或許永遠都不會知道了。（財富中文網）

????譯者：樸成奎

????

????Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the web has been at risk since 2011.

????Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google, Microsoft and Apple, it's a popular choice for countless companies large and small.

????A hacker making use of the Heartbleed vulnerability can "fish" for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach. The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn't genuine.

????Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: "Attackers can steal the 'keys to the kingdom,' as it were -- the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users."

????Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo, Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place -- as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.

????For any company that has a presence on the web and uses OpenSSL, this means an urgent round of upgrading and patching -- or an urgent call to the relevant web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there's no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.

????"Many Internet users will probably be asked at least once this week to change their passwords at various sites," Krebs says. "Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leaves few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well."

????As far as end users are concerned, there's not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches -- keeping a close eye on credit card bills and watching for suspicious activity online -- are among the best steps to staying safe.

????"People often joke that 'Oh, perhaps we should stay off the Internet' in response to certain threats, but in this case I think that may not be a horrible idea," Krebs says. "If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it's not readily apparent to the end user which sites are fine and which are still vulnerable."

????The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability "Heartbleed" because it takes advantage of a common OpenSSL extension called Heartbeat. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," warns the announcement.

????This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.