A major security bug has been discovered which impacts OpenSSL and could have substantial repercussions across the Internet. Known as “
Heartbleed”, the bug appears to have left the bulk of the Internet vulnerable to a range of abuses over the last two years. The bug impacts SSL and TSL security protocols.
Secure Socket Layer, or SSL, provides a layer of encryption that helps secure Internet transactions. Known as a “cryptographic protocol”, when it is utilized a URL changes from an “http” to an “https” prefix. It is most often utilized when secure interactions are required, particularly for online payments and shopping. The protocol stops third parties from intercepting sensitive data (like credit card numbers) transferred across the Internet.
OpenSSL is an Open Source SSL configuration which also manages Transport Security Layer (or TLS) encryption. It is widely utilized by Apache and nginx web servers. According to Netcraft, nearly 65% of the Internet utilizes these server technologies.
Officially known as CVE-2014-0160, Heartbleed is an encryption vulnerability that could allow an attacker to access secure channels utilized by ecommerce websites and other Internet locations that store sensitive data and passwords. It impacts an OpenSSL extension called “heartbeat” which allows secure communication channels to stay open. The Heartbleed bug enables attackers to read the memory of OpenSSL protected systems.
Heartbleed was discovered by Codenomicon researchers and a Google security team member. Heartbleed.com - http://heartbleed.com/ - has been set up to provide additional information about the bug. The site offers detailed information on how to protect systems from the bug.
According to the site:
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”
Have you been impacted by Heartbleed? Let us know your experience. Add your comments below.