Heartbleed, a recently discovered bug in the software responsible for securing web communications, may have left nearly 70 percent of the Internet vulnerable to eavesdropping over the past two years. Here’s what you need to know about the Heartbleed bug, and what you can do to keep your organization’s data safe.
What is Heartbleed?
Heartbleed is a bug within some versions of the popular OpenSSL software that provides security and privacy for communication over the Internet, i.e. email, instant messaging and some virtual private networks (VPNs). Whereas a virus is software designed by someone with malicious intent, a bug is an innate flaw within the code of an existing program that can then be exploited, which is what we’re seeing with Heartbleed.
Why the Name? In simplest terms, there is a component of OpenSSL referred to as a “heartbeat,” which keeps the communication sessions active without constantly renegotiating security protocols. The Heartbleed vulnerability allows for data to be leaked from that heartbeat extension.
What is OpenSSL?
SSL stands for Secure Socket Layer and is represented by that S at the end of “https”—the prefix you see on web addresses. This program encrypts your communication on a website so that a third party can’t eavesdrop while you’re banking, shopping or reading your email. OpenSSL is an open-sourced implementation of SSL used by the Apache and nginx web servers, which together power almost two-thirds of all websites.
One of the more troubling aspects of Heartbleed is how difficult it is to identify when the bug has been exploited. You can, however, test your organization's site to see if it’s vulnerable.
Protect Your Site
If the above test reveals that your organization’s site is vulnerable, OpenSSL recommends that you upgrade to OpenSSL version 1.0.1g, which patches the Heartbleed vulnerability.
Change Your Passwords
But only on sites that have patched their servers. Otherwise, your new password is just as vulnerable. You can check to see which sites have fixed the problem here.
Google, Yahoo!, Facebook, Microsoft
Are among the major sites and software providers to have already rolled out patches to key services. These sites should now be safe to use after resetting login information.