Since the Heartbleed bug has been discovered and the catastrophic effects of the vulnerability on openSSL websites have been highlighted, major websites are urging their users to immediately change their passwords.
If you are using any website, which needs openSSL as the security for password protection (a padlock on the browser), then it is advisable to change the password for that website immediately. Security advisors around the world are recommending that users change the passwords because of the Heartbleed bug, which were unearthed by Google Security and a Finnish security firm, Codenomicon.
Heartbleed is a bug found on the openSSL cryptographic library. OpenSSL is used on websites to scramble sensitive data such as usernames, passwords, pin numbers and alike. This scrambled information is passed on to the servers where only the service provider or recipient servers can make sense of it. If the website uses OpenSSL, then you will see a padlock icon on your browser’s URL bar, which tells you that the website is authentic and safe. However, since the bug is come to light, it is known that the scrambles information, aka keys, can be accessed by hackers.
Hackers can make copies of these keys and steal information such as username and passwords from it. It is presently not known if the bug existed for how long, but if it did, then the risk of your sensitive information already being tapped by a hacker is possible. "If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer. "In that sense it's a good idea to change the passwords on all the updated web portals."
Therefore, it is advisable that you change every single password of all websites you access. These would include all accounts such as email, banking, trading, payment gateways, social networking websites, etc.
About the Heartbleed bug:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What is being leaked
Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.
How you are affected by the bug
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
Versions of the OpenSSL that are affected
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Operating systems that is vulnerable
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating systems that are not vulnerable
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
