Security researchers with Google Inc and a small Finnish security firm Codenomicon have discovered a serious vulnerability in OpenSSL, the cryptographic software library that protects most of the Internet. They have called this vulnerability the HeartBleed bug, which has been present for over two years. HeartBleed has given a major scare to people in connection with the protection of passwords, credit card numbers and other information that may be at risk.
Security expert Bruce Schneier calls Heartbleed a catastrophic vulnerability. "On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own," he wrote in his blog post.
Kurt Baumgartner, researcher with Kaspersky Lab, a privately held vendor of endpoint protection solutions, says the lab uncovered evidence that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans. "Our team identified such scans. The numbers were gradually increasing and this was even more evident when security software company Rapid7 released a free tool for conducting such scans. This problem is insidious and devices besides servers could be at risk because they run software programmes with vulnerable OpenSSL code built into them."
Ever since Edward Snowden exposed the National Security Agency's (NSA's) widespread efforts to eavesdrop on the Internet, people looked at encryption as the answer to their problem. Encryption is a method which allows information like a secret message to be hidden so that it cannot be read without special knowledge (like a password). Snowden gave the hope that encryption is a saving grace in the face of NSA's snooping. "Encryption works," the whistleblower said last June. "Properly implemented strong crypto systems are one of the few things that you can rely on."
Snowden also warned that crypto systems aren't always properly implemented. "Unfortunately," he said, "endpoint security is so terrifically weak that NSA can frequently find ways around it." The bigger question is the one that even security expert Bruce Schnier repeated. "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything."
The problem lies with the fact that most of the websites in the world rely on a tiny group of poorly paid programmers to keep you safe from hackers.
For all the people who own websites that use OpenSSL, the bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. For all internet users, the safest option would be to change all passwords.
If major web companies pitch in for regular audits of OpenSSL's code, an incident like this can be easily avoided. The hope is that people who use open source software will take auditing it more seriously and reveal the audit results publicly so that the lesser fortunate firms and individuals can stay secure as well. -With inputs from Priyanka Golikeri
What are sites doing
Facebook: Unclear if it was affected, but site has deployed a patch so you can change your password
Twitter: Company yet to comment. It's better not use a password common with other services
Google: It said users do not need to change passwords for accessing Gmail, YouTube
Tumblr/Flickr: Has fixed the problem. You must change its password immediately
Yahoo: It has deployed patches on major services but others remain. It is advising users to rotate passwords
Hotamail/Outlook/LinkedIn/Microsoft Services not affected; Amazon.com Inc says websites weren't exposed to Heartbleed