The SSL encryption protocol that should have secured most of the transactions on the web turns out to be not as secure as was expected, as the Heartbleed bug has sent users scrambling to fix the issue. The vulnerability has opened an exploit where millions of personal information that include passwords, credit-card numbers, email accounts, and ecommerce accounts can all be exposed. Users are asked to change all passwords, but sadly many users are going to ignore the warning, which will only add more to the weaknesses.
The vulnerability called Heartbleed affects the Open SSL encryption technology, which should protect much of the webs’ secure transactions such as those in the financial services industry.
It has been reported that almost 60 percent of the secure sites on the web use the Open SSL encryption technology. More than 10500 sites have been tested by Github, and while, some patches have been deployed, there are score of sites that remain vulnerable. According to many of the security experts, it make little sense e to change your unless the vulnerability has been fixed with the latest patch.
Changing passwords can be made more effective, if the vulnerability is patched, as it will deny access. If your site certificate’s has been updated, it should be reflected in the SSL certificate. The best thing that can be done at this point is to ensure that passwords are not reused.
The Heartbleed bug that has users scrambling, is not a virus that was maliciously written and embedded into systems by nefarious hackers, but is a flaw in the code that was introduced two years ago. The Code is called OpenSSL which is open Source, meaning available for all. Since it is open for all, developers are allowed to enhance decipher and improve it. The Code is managed by the Open Source foundation, but there are only 3 people on staff, who all have daily jobs, while one person is full time, and there are huge amounts of open source libraries to manage
The flaw in the code allows attackers to access clusters of memory which can then be used to retrieve the private keys. The private keys are the ones used to decrypt the SSL session and disclose passwords and user names.
For users, the most important thing is to know if the site that you are using is affected, and if they have not patched and are still using the current OpenSSL, they will be affected. Keep informed of the action the site is taking.
Estimates are that the Heartbleed flaw has affected at least 6% of the biggest sites on the web, with millions of the lesser known ones also being vulnerable, and so it is important to know which of your accounts are at risk and knowing how and when the issue will be addressed.
Some security experts have raised the concern to a higher level and suggest that users stay off the Internet for a few days, to see how the affected companies respond. The act of being on the web itself is not without risk as malware is constantly floating around and at this point, there are reports that hackers are extremely busy with attempts to find the sites affected by the Heartbleed code flaw that has user around the web scrambling.
Written By Dale Davidson