Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes. It allows a hacker to read the memory of the servers/websites protected by the vulnerable version of the OpenSSL software. This compromises the secret keys used to identify the service provider and encrypt the traffic and the data which may contain usernames and passwords. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
It was discovered by a Google researcher and an independent Finnish security firm called Codenomicon. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon!
The bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520) and hence the name.
Yes, this bug is unique and has left almost two thirds of the internet’s servers using SSL encryption vulnerable. Experts also claim that traces of the attack have been found on audit logs dating back to last November. Attacks based on the exploit could date back even further. Many popular websites like Facebook, Dropbox, Yahoo, Gmail, etc have been vulnerable and have recently patched their servers too.
At the very least, Heartbleed exposes your usernames and passwords. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you — no passwords required. And it allows attackers to pose as a real website and dupe you into giving up your personal details.
If you own a website with SSL there is a good chance that you have been vulnerable. You can make use of some of the free tools available like Geotrust’s SSL Checker to scan your SSL website. If you are vulnerable, you may want to patch your servers as soon as possible before hackers take advantage of this public disclosure.
The OpenSSL project has made a statement at https://www.openssl.org/news/secadv_20140407.txt. NCSC-FI published an advisory at https://www.cert.fi/en/reports/2014/vulnerability788210.html. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may also issue their own advisories.
Connect with us on social media as we share links to news, vital updates and other cool stuff to make you money and save you money.
Now you can learn how to stay on top of change in the digital world. We run workshops and webinars to help our clients and our community. Most of these are free.