A potentially damaging flaw has been discovered with the OpenSSL libraries that will likely trigger reactions ranging from mild concern to paranoia. We may never fully know the extent of the damage – or indeed if any damage at all was caused – but Bitdefender advises its customers to exercise caution.
The Heartbleed bug could give anyone who knew about it unfettered access to secure web sites across the internet that use certain versions of OpenSSL, which is used for SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. This means that a thief could enter a secure site, steal sensitive information that everybody thought was secure, and leave without a trace.
The SSL and TLS protocols are used to secure e-mail, web applications, some VPNs, messaging services and more. This means thieves could have made off with encryption keys, private messages, passwords, confidential documents and virtually anything else that users thought was protected.
It is not immediately clear how many people or web sites have been endangered by Heartbleed, but OpenSSL is the default encryption library of Apache and Nginx server software, which are used by 66 percent of the sites in the world, according to the Netcraft April 2014 Web Server Survey.
That doesn’t automatically place them all at risk. The bug is present in versions issued from December 2011 onward. OpenSSL advises in a note that 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g.
Yahoo!, Flickr, Wunderlist and other popular services have been vulnerable to the bug and their users may have been affected. Facebook, Google and many of the other most popular destinations on the web, meanwhile, are protected from the Heartbleed bug. However, the risk is high and it is still present.
In the meantime, we advise users to exercise caution even when using sites that they assume to be secure. As always, security on the internet is rarely as certain as users assume.
Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.