????周一下午，網(wǎng)上曝出了更多關(guān)于互聯(lián)網(wǎng)有史以來(lái)最大漏洞的細(xì)節(jié)。這個(gè)漏洞叫做Heartbleed（意為“心在滴血”）。本周各大主流網(wǎng)絡(luò)公司紛紛手忙腳亂地給自己的系統(tǒng)打補(bǔ)丁，而且黑客們可能已經(jīng)利用這個(gè)漏洞攫取了成百上千萬(wàn)用戶的數(shù)據(jù)。這個(gè)漏洞已經(jīng)存在兩年多了，而且沒(méi)有留下任何可疑活動(dòng)的跡象。有人估計(jì)，自2011年以來(lái)，Heartbleed已經(jīng)導(dǎo)致整個(gè)網(wǎng)絡(luò)的三分之二陷入風(fēng)險(xiǎn)。

????Heartbleed影響的是OpenSSL，后者是用于網(wǎng)絡(luò)數(shù)據(jù)加密的一項(xiàng)關(guān)鍵技術(shù)。Heartbleed允許網(wǎng)絡(luò)攻擊者從運(yùn)行這個(gè)軟件的服務(wù)器獲取包括用戶名、密碼、信用卡詳細(xì)資料等在內(nèi)的敏感信息。雖然谷歌、微軟以及蘋果等公司使用的不是OpenSSL，但不計(jì)其數(shù)大大小小的公司普遍都采用了這項(xiàng)技術(shù)。

????利用Heartbleed漏洞的黑客可以從一個(gè)服務(wù)器上隨機(jī)“釣”到大量的數(shù)據(jù)。雖然每次“釣魚”攫取的數(shù)據(jù)相對(duì)較少，但是這個(gè)程序卻可以一遍又一遍地重復(fù)，而且不留下任何入侵痕跡。黑客獲得的數(shù)據(jù)可能包括用戶的登陸信息、私人信息、電子郵件，甚至是加密密鑰。這些密鑰尤其重要，因?yàn)楹诳陀辛怂蟊憧梢猿晒卧斐鲆粋€(gè)山寨的網(wǎng)站，誰(shuí)都看不出來(lái)它是假的。

????調(diào)查記者、網(wǎng)絡(luò)安全調(diào)查專家布萊恩?克雷布斯已經(jīng)針對(duì)這個(gè)漏洞發(fā)表了一篇深度報(bào)道。他告訴《財(cái)富》雜志：“攻擊者可以竊取‘王國(guó)的鑰匙’——也就是網(wǎng)站用來(lái)加密和解密訪客所有通訊信息的密鑰。由于互聯(lián)網(wǎng)大范圍地存在這個(gè)漏洞，因此它具有很高的危險(xiǎn)性。雖然現(xiàn)在存在漏洞的網(wǎng)站可能不到50萬(wàn)個(gè)，但是其中很多網(wǎng)站都有幾百萬(wàn)甚至幾億用戶。”

????克雷布斯表示，網(wǎng)上已經(jīng)有了可以用來(lái)檢測(cè)Heartbleed漏洞的工具。包括雅虎、Flickr、OKCupid、Zoho、500px、Imgur在內(nèi)的許多大型門戶網(wǎng)站都存在這個(gè)漏洞，甚至連FBI的官網(wǎng)也未能幸免。到本周三早上，許多網(wǎng)站已經(jīng)開(kāi)始修補(bǔ)這個(gè)漏洞。雅虎表示已經(jīng)開(kāi)始對(duì)旗下的大部分網(wǎng)站進(jìn)行升級(jí)。另外電子郵件服務(wù)器和即時(shí)通訊工具也存在同樣的風(fēng)險(xiǎn)。

????對(duì)于任何一家在網(wǎng)絡(luò)上占有一席之地并且使用OpenSSL工具的人來(lái)說(shuō)，首當(dāng)其沖的要?jiǎng)?wù)就是緊急升級(jí)網(wǎng)站和打補(bǔ)丁——或者緊急給相關(guān)的網(wǎng)站托管公司打電話讓他們解決這個(gè)問(wèn)題。雖然最新版本的OpenSSL已經(jīng)修補(bǔ)了Heartbleed，但更新安全證書和重新設(shè)置加密密鑰這樣一個(gè)漫長(zhǎng)而復(fù)雜的過(guò)程仍然是必要的。就算等到這個(gè)漏洞徹底消除，我們也沒(méi)法知道在此之前已經(jīng)丟失了多少信息。我們將在未來(lái)許多年里都能感受到Heartbleed的余威。

????克雷布斯說(shuō)：“本周許多互聯(lián)網(wǎng)用戶可能從多個(gè)網(wǎng)站那里接到了不只一次請(qǐng)他們更改密碼的要求。很多受到影響的網(wǎng)站的管理員在打好補(bǔ)丁后，還得更換他們自己的OpenSSL的密鑰和安全證書。另外，由于很多網(wǎng)站都沒(méi)有留下任何入侵痕跡，因此為了安全起見(jiàn)，這些網(wǎng)站也會(huì)建議用戶更改登陸密碼?！?/p>

????用戶除了靜待受影響的網(wǎng)站升級(jí)完畢之外，沒(méi)什么可做的了。重設(shè)密碼雖然有用，但是首先還得等那些網(wǎng)站升級(jí)完畢才管用。另外就是一些常識(shí)性的安全事項(xiàng)還得老調(diào)重彈——要密切注意自己的信用卡賬單，留意可疑的網(wǎng)上活動(dòng)。

????克雷布斯還補(bǔ)充樹(shù)：“人們經(jīng)常開(kāi)玩笑說(shuō)，‘噢，或許我們應(yīng)該離互聯(lián)網(wǎng)遠(yuǎn)一點(diǎn)，’以應(yīng)對(duì)某些特定的網(wǎng)絡(luò)威脅。我認(rèn)為這回它可能并不是個(gè)壞主意。如果你正好登陸了一個(gè)存在風(fēng)險(xiǎn)的網(wǎng)站，那么你的授權(quán)被黑客竊取的可能性應(yīng)該說(shuō)是不小的……問(wèn)題是終端用戶現(xiàn)在仍然不清楚哪些網(wǎng)站是安全的，哪些網(wǎng)站是有風(fēng)險(xiǎn)的?！?/p>

????這個(gè)漏洞最早是由一批為谷歌和科諾康工作的編程人員發(fā)現(xiàn)的，他們?cè)诰W(wǎng)上發(fā)布了一個(gè)信息頁(yè)面。由于這個(gè)漏洞利用了OpenSSL的一個(gè)常用擴(kuò)展工具Heartbeat，因此他們把這個(gè)漏洞命名為“Heartbleed”。他們?cè)诼暶髦姓f(shuō)：“大家常用的熱門社交網(wǎng)站、大家公司的網(wǎng)站、商業(yè)網(wǎng)站、興趣網(wǎng)站、大家下載安裝軟件的網(wǎng)站，甚至連由政府運(yùn)作的網(wǎng)站，可能都在使用存在風(fēng)險(xiǎn)的OpenSSL?！?/p>

????本周全球的IT經(jīng)理們都在火速升級(jí)自己的系統(tǒng)，同時(shí)祈禱不要有人利用Heartbleed干什么壞事。至于什么是最值得擔(dān)憂的部分，他們或許永遠(yuǎn)都不會(huì)知道了。（財(cái)富中文網(wǎng)）

????譯者：樸成奎

????

????Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the web has been at risk since 2011.

????Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google, Microsoft and Apple, it's a popular choice for countless companies large and small.

????A hacker making use of the Heartbleed vulnerability can "fish" for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach. The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn't genuine.

????Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: "Attackers can steal the 'keys to the kingdom,' as it were -- the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users."

????Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo, Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place -- as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.

????For any company that has a presence on the web and uses OpenSSL, this means an urgent round of upgrading and patching -- or an urgent call to the relevant web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there's no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.

????"Many Internet users will probably be asked at least once this week to change their passwords at various sites," Krebs says. "Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leaves few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well."

????As far as end users are concerned, there's not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches -- keeping a close eye on credit card bills and watching for suspicious activity online -- are among the best steps to staying safe.

????"People often joke that 'Oh, perhaps we should stay off the Internet' in response to certain threats, but in this case I think that may not be a horrible idea," Krebs says. "If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it's not readily apparent to the end user which sites are fine and which are still vulnerable."

????The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability "Heartbleed" because it takes advantage of a common OpenSSL extension called Heartbeat. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," warns the announcement.

????This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.