OpenSSL is a cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers. You can see that it (or a rival product) is there because a padlock icon appears in your web browser. For years you’ve been told to trust the padlock icon and, if it’s there, you’re safe.
In conjunction with Codenomicon (a Finnish security company) Google Security revealed earlier this week that a flaw had existed in OpenSSL for more than two years, and that if criminals exploited this flaw they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
To quote Ari Takanen, Codenomicon’s chief technology officer: “If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.” Codenomicon has called the bug Heartbleed to reflect data leaking from computer servers
Bruce Schneier, a respected security blogger, summed it up thus: “Catastrophic is the right word. On the scale of one to 10, this is an 11.”
Ollie Whitehouse, associate director of NCC Group (a cybersecurity company that advises many members of the FTSE 250) described the situation as “Grave”.
And all this has been going on for 2 years before we were told about it, and before most server operators knew about it, with criminals potentially exploiting the bug throughout the entirety of that period. And now the knowledge is in the public domain, meaning that anybody with a Raspberry Pi and the skills to write some simple scripts can have a crack at any server that has not yet been patched.
If you think it’s just little sites that are affected, think again. More than 2/3 of the web’s active sites rely on Apache and Nginx, which both use OpenSSL. Even Canada’s Tax Collecting Agency halted online services “to safeguard the integrity of the information we hold”. The only good news is that servers running Microsoft’s Internet Information Services (IIS) web server software have not been affected.
Probably the best advice we can give now is to change your passwords (which is good practice to do periodically anyway), but I wouldn’t rush into doing it right away as it obviously makes sense to ensure that the systems on which you are updating your passwords have been patched to remove their Heartbleed Bug First.
LinkedIn, little doubt mindful of its recent security failings, is already forcing users to change their passwords.