Security Warning – Heartbleed Bug
From: Stuart Waddington
An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. Writing about Heartbleed, security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
The internet has a set of protocols for handling secure website traffic, commonly referred to as SSL (Secure Socket Layer). One common implementation of this protocol is known as OpenSSL which runs on around 66% of the web including popular sites such as gmail and facebook.
Vulnerable versions of the OpenSSL software are now being patched with updates, you can check to see if a site remains vulnerable by using the Heartbleed test website.
What is not clear at this stage, is if any sensitive information has been harvested. Lots of software packages began using the vulnerable version of OpenSSL in December 2011, so for two years any website which used this technology was susceptible and the nature of this particular bug prevents site administrators from detecting if their sites were compromised during this time.
At this point there is no indication that hackers knew about the exploit before this week, there have been no confirmed password lists stolen. However, it is still a good idea to change all of your passwords as information could have been harvested from vulnerable websites during this period.
Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable. It’s worth waiting to make sure that each service you use has patched its servers using the above link before changing your password.
As always a strong password is important and the Heartbleed bug has also highlighted how important it is to use different passwords on each website that you use.