The Heartbleed bug is a recently disclosed vulnerability in the commonly used OpenSSL cryptographic technology. The flaw makes it possible to steal the information supposedly protected by the SSL/TLS encryption. SSL/TLS encryption is used for communication security and privacy over the Internet across a variety of applications including email, instant messaging and many virtual private networks (VPNs).
Those who exploit the Heartbleed bug can access the memory of systems protected by the vulnerable versions of the encryption software. This gives them access to secret keys that identify service providers and encrypt the traffic, names and passwords of the users as well as the actual content. With access to the secret keys, black hat hackers can record communications and steal data in order to impersonate services and users.
Perfect Forward Security Should Minimize Potential Damage
Perfect forward secrecy, or PFS, is an additional layer of security that ensures encryption keys only last for specified, limited period of time. So even if a hacker did get an encryption key out of a server’s memory, they would only be able to decode secure traffic from that server for a limited period of time. Most major technology firms use PFS, but most midsize and smaller enterprises don’t.
Change Your Passwords
You do need to change your password if you have an account at Google, Yahoo, Facebook or any other web service that uses Open SSL encryption. However, it is important to not change your passwords until you get confirmation from the website that the bug has been successfully patched. That said, most major websites will be patched by now.
Website/Application Owners Need to Replace Security Certificate
Web security analysts doing an in-depth analysis of the flaw have determined that all 500,000 affected sites should revoke their security certificates and issue a new certificate to avoid the possibility of phishing. Furthermore, certificate authorities are offering to revoke and reissue security certificates for no charge. There is one problem, however…all these certification revocations are likely to result in slow browsing on the Internet for the next few days
Your browser automatically compares the security certificate of a website you visit versus a list of certificates that have been revoked. In most cases the list is not that long, but because of the need to replace certificates now, the list is going to be thousands of names long every day for at least a week or so. That means confirming a site’s identity is likely to take significantly longer. The length of the delay for the security certificate process will vary based on the individual website, but experts say there’s a good chance many users will experience delays.
Note to KUWARE hosting clients: All our servers were patched within 24 hours of discovery of bug and all SSLs have been revoked and renewed.