Start of this week paved way to unearthing a major security breach at the very core of the internet. Globally known as ‘Heartbleed’, it may have been divulging users’ personal information and passwords to hackers and other eavesdroppers for the past couple of years. Major websites such as Instagram, Pinterest, USMagazine.com, NASA, and Creative Commons together with many other web services that are using OpenSSL for encryption were badly influenced by this security flaw last Monday.
Catastrophic is the right word. On the scale of 1 to 10, this is an 11
This bug was discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. According to Computer Security Expert Bruce Schneier ”‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” The severity of the flaw has demanded its own webspace at HeartBleed.com, which states:
‘The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.’
So you better change your passwords of OpenSSL used websites right now right now , if you have not done already.
Since Heartbleed bug was revealed, a Fixed OpenSSL has been released and now it has to be deployed by Operating system vendors and distribution, appliance vendors, independent software vendors and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use. Reports suggests that over half a million widely trusted websites are vulnerable to Heartbleed bug. Mashable has compiled a list of global websites and services that were influenced by this breech. So if you have an account in major services such as Facebook, Instagram, Google, Tumblr, Pinterest and Yahoo, you better change your password right now, if you have not done already.