On Monday, April 7, security researchers from Google’s security team and Codenomicon reported a security flaw, dubbed “Heartbleed”, in OpenSSL, the web’s popular data-encryption standard. You might be affected either directly or indirectly since OpenSSL is the most popular standard being used to encrypt traffic over the Internet. Web servers such as Apache and nginx use OpenSSL and the combined market share of these two was over 66%.
Codenomicon has set up Heartbleed.com to address/explain the issue in detail as well as to release any news specific to the Heartbleed bug. I’ve listed the gist below from the website as well as other news sources:
- OpenSSL is used for email servers (POP, SMTP, IMAP), chat servers (XMPP), virtual private networks (VPN) which means that: your email service whether on your browser or mobile could be affected; instant messaging services could also be compromised and even your company’s servers
- OpenSSL has released and emergency patch on Monday, April 7, 2014. Websites that use OpenSSL are advised to immediately upgrade to this patch, OpenSSL 1.0.1g.
- Unfortunately, the bug leaves no traces so there is no way to detect if you were directly affected.
- A developer, Filippo Valsorda has published a tool that can let you check a website’s vulnerability here.
- According to Valsorda’s site, Google, Facebook, Twitter and Dropbox are not compromised.
- Notable sites affected are: Yahoo, Tumblr, Imgur, Flickr, OKCupid, Eventbrite, Stackexchange. You can find a compilation here.
- The bug is called heartbleed because:
“Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.” (Heartbleed.com)
What you can do
Unless you’re the system administrator, there’s not much you can do. However, once the website has updated the OpenSSL version to the emergency patch, which Yahoo has done, immediately change your password for that service just in case you were affected. Mashable compiled a list of websites where you need to update your passwords ASAP.
Update: Added link to Mashable for list of websites.