Remember in the early days of the Internet, you were reminded to look for the letters HTTPS, and the yellow “lock” in many browsers, before entering credit card or Social Security information. The HTTPS protocol was different than the standard HTTP in that it was secure. That security was provided by a module called OpenSSL. OpenSSL encrypted the data coming from your browser to the server and back to your browser. This used a series of private keys and certificates so it was not very easy – back then – to decrypt the information without access to the server.
Everyone thought SSL was very, very secure….until now.
A researcher at Google discovered that by sending a certain string of commands to a vulnerable server, he could get the server to send back 64 kilobytes of its memory. This memory might contain the last transactions the server made, passwords and logins of the last users, secure certificate information or the keys to the server; meaning information that would compromise the secure passkeys and allow someone to decrypt all information flowing through the server. This has been dubbed the Heartbleed bug since it exploits the “heartbeat” cycle of the OpenSSl module.
Google researchers discovered that the Heartbleed bug was present in the current version and several earlier versions, of the OpenSSL module, dating back for nearly two years. It was also determined that accessing the server through the bug did not write any of its operations to the server logs, which means there was no trail and no evidence that any breach to the server was made. This means that not only is there a known security hole, there is no way to know if someone has driven a truck through it and carted off all the encrypted data and the keys to unlock it.
Needless to say, the people at OpenSSL were up late working with the Google researchers and others to identify the problem code and work out a fix. A patch is already available for the broken OpenSSL and all Apache web server administrators are being urged to patch their systems immediately.
There is no easy way for a user to know if the site you are about to place your secure information on is vulnerable, or if one you have used was hacked. Security specialists are encouraging administrators and users to change their passwords, especially on systems that have highly sensitive information such as bank accounts.
For information check out these links: