OpenSSL “Heartbleed” Bug Threatens Secure Websites

This news has been out for a few days, but it’s pretty technical and I’ve debated the best way to present it to non-technical people. Essentially the protocol used to secure connections between computers and websites has a very severe vulnerability in its implementation that was just recently discovered. Problem is, the vulnerability – a tiny coding error – has been there since 2011 or 2012.

The technical details are below if you’re interested, but what it boils down to is this:

  1. If you own or administrate a website using OpenSSL, make sure your system is patched against the “heartbleed” vulnerability, then revoke all current SSL certificates and issue new ones.
  2. All user passwords to secure sites, such as E-Bay, PayPal, banking sites, etc. should be changed immediately. This means everyone who is reading this post should do this, as inconvenient as it’s going to be. Kathy and I will be reviewing all of our website passwords and implementing changes tonight.

Technical Details:

The OpenSSL protocol used to ensure secure communications between users and websites had a bug introduced into the code approximately three years ago.   Unfortunately, the bug was not discovered and patched until this week.  The bug makes it possible for an attacker to obtain SSL keys and issue VALID security certificates.  Then using a standard man-in-the-middle attack can impersonate any secure website using the stolen SSL keys and essentially sniff out all traffic to and from that site, including password information.
The good news is that there is no indication that this bug has been utilized maliciously in the wild.  The bad news is that there is no method of knowing if any specific SSL certificate has had its keys compromised, and even after the patch is implemented, any certificate that was compromised while the bug was in play is no longer secure.  To be 100% safe, website administrators should apply the patch, then revoke any and all existing SSL certificates and replace them with newly signed certificates.  Since not all website administrators are going to do this, users should immediately change all passwords to secure sites, especially financial institutions.
As always, please do not hesitate to contact me with any questions regarding this situation.
– Eric
No comments yet.

Leave a Reply