The Biggest Security Issue In A Long Time: OpenSSL’s Bleedingheart Bug
A major new security vulnerability known as Heartbleed was disclosed on Monday with potentially severe implications for the entire Web as well as other applications that use the OpenSSL software such as encrypted email. The bug can read 64 kilobytes of a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, credit card numbers, and the servers private security certificates, which are also known as SSL keys. According to some estimates, 66% of all web server software on the internet is vulnerable, and some estimate that one-third of the 66% may be vulnerable. Most large websites, such as facebook.com, yahoo.com, okcupid.com, and some of the larger bitcoin trading websites have been patched as of today. Gmail, which uses Perfect Forward Secrecy, is not vulnerable, but this is by far the exception to the rule.
Experts are recommending changing banking passwords as well as online bill payment websites, paypal, and any other website where financial transactions are conducted, such investment and stock sites.
The vulnerability does not set off standard server alarms, and there’s no way to tell if a server has been breached. If a server’s keys have been read by hackers from the server, then all previous communications that have been sent over the internet, and all future communications until the server does not purchase a new SSL key after the vulnerability has been patched, can be easily decrypted, if they hackers or a dubious ISP has recorded this data.