If you’ve gotten an email requesting that you change your password from your Pinterest, Google, Facebook, Instagram, YouTube, Dropbox, or even your domain registrar, GoDaddy, then you’ve probably already heard of the OpenSSL’s Heartbleed bug. OpenSSL is the go-to open source cryptographic library and protects email servers, chat servers, and even Virtual Private Networks (VPN).
The Heartbleed bug got its name from the implementation of OpenSSL’s cryptographic security extension, called Heartbeat. Since it turned out that Heartbeat exposes serious vulnerability in the Secure Sockets Layer (SSL) of the Applications Layer in the Internet Protocol Suite, which is the designated protocol for providing and maintaining security on the Internet from the Hypertext Transport Protocol (HTTP) to HTTPS (the ‘S’ stands for secure), the bug was called Heartbleed. OpenSSL’s found vulnerability means that encryption keys, security certificates, user names, passwords, and other sensitive information on your favorite social media site, your company’s commerce site, sites you download software from, and even government registered sites are susceptible to their data being compromised. The most interesting part is that there is no trace logged when a breach was made from a malicious attack since the primary and secondary keys (the aforementioned encryption keys and other top-tier security information) were compromised, allowing the attacker to impersonate the compromised service. Not even certificate authentication can reduce the chance of a user being notified of the site being compromised. There is debate on whether or not the NSA has known of and exploited these vulnerabilities to collect account information on patrons of the affected sites, totaling as many as two-thirds of the websites on the Internet.
Heartbleed was actually brought to the attention of OpenSSL back in late 2011, but after rigorously testing the patch for leaks (including OpenSSL attacking themselves!), the patch has been made available as of the 7th of this month. This means that, to stop the leaks, vendors need to implement the fix and alert their users, hence why you may have received an email notification with a short synopsis of what Heartbleed is and a suggestion to change your passwords. Service providers and users themselves need to install the fix as it becomes available to their operating systems and software they use.