Heartbleed 101

Carvalho, Marco; DeMott, Jared D.; Ford, Richard; Wheeler, David A.

doi:10.1109/msp.2014.66

Cited by 59 publications

(23 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It was designed to give protection against the aforementioned problems, offering authentication, data integrity, and confidentiality through asymmetric and symmetric cryptography. In the recent past, protocol weaknesses such as Padding Oracle On Downgraded Legacy Encryption [14], Browser Exploit Against SSL and TLS, Factoring RSA Export Keys, and others, as well as implementation problems such as Heartbleed [15,16] and Apple’s goto fail bug [17] have arisen. The use of older protocol versions or deprecated implementations can lead to these or other issues surfacing and compromising the security and privacy of users.…”

Section: Introductionmentioning

confidence: 99%

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Müthing¹,

Jäschke²,

Friedrich³

2017

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

BackgroundMobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport security can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity. mHealth apps should therefore deploy intensified vigilance to protect their data and integrity. This paper analyzes the state of security in mHealth apps.ObjectiveThe objectives of this study were as follows: (1) identification of relevant transport issues in mHealth apps, (2) development of a platform for test purposes, and (3) recommendation of practices to mitigate them.MethodsSecurity characteristics relevant to the transport security of mHealth apps were assessed, presented, and discussed. These characteristics were used in the development of a prototypical platform facilitating streamlined tests of apps. For the tests, six lists of the 10 most downloaded free apps from three countries and two stores were selected. As some apps were part of these top 10 lists in more than one country, 53 unique apps were tested.ResultsOut of the 53 apps tested from three European App Stores for Android and iOS, 21/53 (40%) showed critical results. All 21 apps failed to guarantee the integrity of data displayed. A total of 18 apps leaked private data or were observable in a way that compromised confidentiality between apps and their servers; 17 apps used unprotected connections; and two apps failed to validate certificates correctly. None of the apps tested utilized certificate pinning. Many apps employed analytics or ad providers, undermining user privacy.ConclusionsThe tests show that many mHealth apps do not apply sufficient transport security measures. The most common security issue was the use of any kind of unprotected connection. Some apps used secure connections only for selected tasks, leaving all other traffic vulnerable.

show abstract

Section: Introductionmentioning

confidence: 99%

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Müthing¹,

Jäschke²,

Friedrich³

2017

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

show abstract

“…Heart beat Request posts are a one-byte type field, a two-byte. Pay load field, a payload field and at least 16 bytes of random padding [5]. A solution against the Heart bleed vulnerability is a mechanism to check that the response is not longer than the request.…”

Section: Iiiii Threats Against Ldapmentioning

confidence: 99%

Use of Secure Repository for Passwordless Handshake to Enhance the Authentication

Krishna¹,

Aluri²,

Battu³

et al. 2019

IJITEE

View full text Add to dashboard Cite

In this paper we presented an innovative thought to provide better security for authentication procedure. In this procedure user’s password is restricted to transmit over the network, still provides the same security for authentication services. To accomplish this we have used smart card which adopts the Kerberos Protocol and a secure password repository. As the smart card system allows restricted access, it provides a secure place to keep credentials safe. Without revealing the secrets to public an authentication system may perform its scope by referencing to them through identifiers. This promotes the credibility of the mechanism while at the same time it achieves to reduce the overhead of the authentication systems due to the complex encryptions procedures

show abstract

“…Either endpoint may send a HeartbeatRequest signal after negotiation to check connectivity. HeartbeatRequest posts are a one-byte type field, a two-byte payload field, a payload field and at least 16 bytes of random padding [5]. A solution against the Heartbleed vulnerability is a mechanism to check that the response is not longer than the request.…”

Section: Threats Against Ldapmentioning

confidence: 99%

Authentication Mechanism Enhancement Utilising Secure Repository for Passwordless Handshake

Pikrammenos¹,

Tolis²,

Perakis³

2019

IJNSA

View full text Add to dashboard Cite

In this paper the idea of an enhanced security authentication procedure is presented. This procedure prohibits the transmission of the user's password over the network while still providing the same authentication service. To achieve that, Kerberos Protocol and a secure password repository are adopted, namely a smart card. The conditional access to a smart card system provides a secure place to keep credentials safe. Then, by referencing to them through identifiers, an authentication system may perform its scope without revealing the secrets at all. This elevates the trustworthiness of the mechanism while at the same time it achieves to reduce the overhead of the authentication systems due to the elaborate encryptions procedures.

show abstract

Heartbleed 101

Cited by 59 publications

References 0 publications

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Use of Secure Repository for Passwordless Handshake to Enhance the Authentication

Authentication Mechanism Enhancement Utilising Secure Repository for Passwordless Handshake

Contact Info

Product

Resources

About