Heartbleed bug puts millions of websites at risk

Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users’ names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. This does not mean your information has necessarily been stolen. It may mean that it’s been vulnerable to theft and may remain vulnerable until a fix is applied.

No matter how hard you try to stay safe, some aspects of securing your online data are completely out of your hands. That fact was made painfully obvious on Monday, when the Internet got caught with its collective pants down thanks to a critical vulnerability affecting a fundamental tool for secure online communications. Called Heartbleed, the bug has been in the wild for more than two years now. It allows attackers to exploit a critical programming flaw in OpenSSL—an open source implementation of the SSL/TLS encryption protocol.  When exploited, the flaw leaks data from a server’s memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files, according to Finland-based Codenomicon, the security firm that first uncovered Heartbleed in concert with a Google researcher. That’s bad. Real bad, though it’s important to note that Heartbleed only affects OpenSSL and not the security protocol itself.

Read full article