SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook). It allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. To establish this secure connection, the browser and the server need an SSL Certificate.
It covers asymmetric and symmetric keys and how they work together to create an SSL-encrypted connection. It also covers different types of algorithms that are used to create these keys including the mathematical equations.
Asymmetric key:
Symmetric key:
Researchers have found a vulnerability in the OpenSSL that could make it possible for intruder or an attacker to possibly get the private encrypted keys.Attacks leave no trace in server logs. The bug has been present in the production versions of OpenSSL for more than two years.
The researchers working have said there is a possibility of attack even after the vulnerable websites install the OpenSSL patch.The issue roots from the possibility that attackers could have already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website.
A complete recovery from this bug would be an impossible mission as to revoke all the exposed keys, reissuing new keys, and invalidating all session keys and session cookies.
The bug is referenced to be CVE-2014-0160 , which makes it possible for the attackers to download 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version.It is announced the company has now patched the OpenSSL vulnerability last week and is still checking over the likelihood that private keys appeared in memory and were recovered by attackers who knew how to exploit the flaw before the disclosure.
TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild.