Date: Friday, April 11th, 2014, 08:25
Category: Announcement, Hacks, privacy, security, Websites
A newly announced bug, dubbed “Heartbleed” has got online companies on the run as they race to patch the insecurity. In spite of all the current fervor however, the bug has actually been around for about two years. It may also be the first wide-scale bug to have its own web page and logo (heartbleed.com). Heartbleed is based on a fault in functionality in the widely used OpenSSL library. OpenSSL is the cryptographic software that protects information being transferred from server to server throughout the internet. It is meant to stop hackers from intercepting secure information such as logins, usernames, passwords, credit card numbers, and other personal information.
The Heartbeat web site explains why this bug is different from the ‘casual’ bugs that occur in software from version to version;
“Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace [emphasis mine] this exposure should be taken seriously.”
Ultimately there are two parts to the solution, then first being that service providers need to implement the already available fix to the OpenSSL library, which many have done or working on. The second part is optional, but highly recommended if you want to ensure that your information is safe, and that is to change your passwords for your online accounts. Since exploiting the bug leaves no trace, you won’t know if you are affected until it is too late.
Mashable has a list of many commonly used web services with their level of vulnerability and state of their upgrade to the new version of Open SSL. A sample can be seen in the image below.
As additional resources, you can check to see if your favorite websites are vulnerable on this web site, though this service is reportedly not 100 percent reliable. Sites reported to be vulnerable should not be logged into until they’re patched, and checking those sites’ blogs or Twitter feeds should provide updates to their status.