The Heartbleed Bug – if you run web servers that use https and OpenSSL, you need to update now

Heartbleed logo by http://www.codenomicon.com/

A group of researchers have discovered a 2 year old flaw in the OpenSSL library used by web servers to encrypt communications between users and the server. These are the websites that you would use “https” instead of “http” and include websites that offer cloud services (such as email) that require user to login to banking and e-commerce websites.

Dubbed the Heartbleed bug because the flaw is in a particular part of the OpenSSL code called heartbeat. As the Heartbleed website (http://heartbleed.com/) says:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Website operators that use OpenSSL need to update their servers and reissue their security certificates (if case, they were already stolen due to the Heartland bug).

End users should limit their visits to websites that use of SSL (hard I know), change their passwords after being advised by websites to do so and in the near future, consider changing all of your online passwords.

 

Various links to learn more:

  • ReadWrite article
    http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security/
  • http://heartbleed.com/ – site by the researchers that discovered the flaw
  • https://lastpass.com/heartbleed/ – site to test websites if they are vulnerable.
  • http://filippo.io/Heartbleed/ – another site to test websites if they are vulnerable