We have come to expect that data we exchange with websites is secure – that this information is protected from interception by unauthorized parties by Secure Sockets Layer (SSL) encryption. Most websites implement this protection using Open SSL, a readily available open source product.
Recently, however, a security flaw in Open SSL dubbed Heartbleed has been discovered that could allow attackers to decrypt, monitor, and steal all data exchanged between a user (us) and a web service (Amazon, Facebook, our bank?) without being detected. Security experts estimate that at least two-thirds of websites on the internet could be affected. According to ComputerWeekly.com, it was discovered independently by researchers at the security firm Codenomicon and Neel Mehta, of Google security, who first reported it to the OpenSSL team.
Heartbleed compromises the secret keys used to identify the service providers and to encrypt user ids, passwords, and content allowing attackers to eavesdrop on communications, impersonate users and services, and steal data. This vulnerability in Open SSL was inadvertently introduced by Robin Seggelmann through a programming error while contributing code to the Open Source project in December 2011.
Find out what's happening in Darienwith free, real-time updates from Patch.
To validate and dimension this threat, the security firm CloudFare issued a challenge to determine if the flaw could be exploited. Four researchers working independently successfully demonstrated that a server’s private encryption key can be obtained due to the Heartbleed bug, putting information at risk.
A bug fix is not yet available. In the meantime, service providers are being advised to revoke compromised cryptographic keys and reissue new ones. We've been advised, though, not to change our passwords to our favorite websites until the dust settles. I'll keep you posted....
