[updated 2014-04-12 01:59]
Most of you will have heard about the Heartbleed Bug by now. Here is a quick overview and some useful links.
According to heartbleed.com (emphasis mine):
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Many (web) servers using openssl may have leaked private keys, user names, passwords, session cookies, and any other data handled by the server including (confidential) emails and documents. Leaked private keys can be used to decrypt intercepted traffic and perform man-in-the-middle attacks.
The affected versions of openssl have been in widespread use since 2012, the bug is easily exploitable, and attacks leave no trace -- therefore, it should be taken very seriously.
Those servers need to be patched, the compromised keys need to be replaced and revoked. Any data that may have been intercepted or leaked should be considered compromised. Unfortunately, certificate revocation does not work as well as it should and many network appliances and other embedded systems, for example, are not easily patched.
Users will need to change passwords once services have patched the bug and started using new keys -- users should not log into accounts from afflicted sites until they have confirmation that the service has been patched. Unfortunately, many services have not yet released information regarding whether they were vulnerable or not, and if so, whether they have taken the necessary steps to fix the bug.
Not just servers are affected. Client side software could expose data from your computer if it connects to compromised servers. Fortunately, Firefox and Chromium do not seem to use openssl.
You may even want to change all passwords, even for services not affected, just in case someone managed to break into your email account and used it to change those passwords.
Some advice from MyKolab:
- Keep your systems updated
- Encrypt your devices
- Lock your screens
- Never re-use passwords
- Choose good passwords
- Regularly change your passwords
Firefox users may be interested in certificate patrol, an add-on that reveals when ssl certificates are updated.
See the Heartbleed article on Wikipedia and the resources listed below for more information.
Q&A & Discussion