'Heart Bleed', an OpenSSL bug to exposes web encryption

Security researchers announced a security flaw in OpenSSL named 'Heart Bleed', a popular data encryption standard, that gives hackers who know about it the ability to extract massive amount of data from the services that we use every day and assume are mostly secure.This isn't simply a bug in some app that can quickly be updated - the vulnerability is in on the machines that power services that transmit secure information, like Facebook and Gmail.

About : It affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately. The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.

Working : Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred. The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Infected Sites : According to a list compiled by a user of Github (a website geared towards the Web development community), popular affected sites include Yahoo.com, dating site OkCupid.com, torrent site kickass.to, and porn site Redtube.com. Flickr.com, steamcommunity.com, and slate.com are also identified on the list as sites affected by the Heartbleed Bug. You can check out the full list here, which also includes a list of sites that aren’t affected by the flaw. Amazon and Yahoo are working to apply the fix across all of their services. Yahoo said it’s already done that with a multitude of sites, including the homepage, Yahoo Search, Yahoo Mail, Yahoo Sports, and more. Amazon states that it too has applied the fix to the majority of services. You can read Amazon’s statement on the matter here.

Protection : The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers, according to the OpenSSL project's advisory on Monday night. OpenSSL has released version 1.0.1g to fix the bug, but many Web site operators will have to scramble to update the software. In addition, they'll have to revoke security certificates that now might be compromised.

For more news from Techmistory, follow us on Twitter @techmistory and on Facebook at facebook.com/techmistory