Nearly 70 percent of traffic on the Internet employs OpenSSL to secure the data transfers. That translates into almost all the major servers (read: websites) use OpenSSL to secure your data such as login credentials. However, someone from Google found a bug in OpenSSL – a minor programming mistake but big enough to give away your data to hackers – people willing to use your data for their purposes. This OpenSSL bug is named Heartbleed since it is closely related to some HeartBeat layer of OpenSLL.
What is Heartbleed Bug
Most of the servers accept encrypted data, decode it using the encryption keys and forward it for processing. Since most servers employ FIFO (First in First Out) method to serve end users, often, the data (after decryption) sits in the server memory for a while before the server takes it up for further processing.
The Heartbleed Bug is a case of worry for almost all Internet-based commercial websites and some other types. This programming error enables hackers to check into any server that employs OpenSSL and read/save/use the unencrypted data (decrypted data). Hackers now do not only have the access to your data, they can reproduce the website certificate making the Internet, even more dangerous place. With the copy of the website certificate, the hackers can create mimic sites: sites that look similar to original sites. With that, they can further access your data such as credit card details, personal information etc.
The sounds scary, doesn’t it? It is – indeed – as it can access your information and that information can be used towards any end.
Note: Heartbleed also has a code name CVE-2014-0160. CVE stands for Common Vulnerabilities and Exposures. These codes related to vulnerabilities etc. are given by MITRE, an independent body that keeps tracks of bugs and similar issues.
Should I upgrade my Anti-Virus or something
The Heartbleed bug in OpenSSL does not have anything to do with your antivirus or firewall. This is not a client side issue so you can do little about it. On the other side, servers have to apply a patch to the OpenSSL system they are using. That done, the website can be said to be safer for interacting.
What you can do as a user is to reduce the number of visits to commerce and similar sites. It is not that the bug affects only the commerce sites. It is equal for all types of websites that use OpenSSL. I say avoid commerce sites for a while as they would be the major target for hackers who would want your card details etc. It means that the primary target of hackers would be e-commerce sites using OpenSSL.
Once you get a message/report that the bug is fixed, you can go ahead as you used to do before the bug was discovered. OpenSSL has created a patch and has released it for website owners to secure their users’ data. Until then, try to avoid sites where you have to give in your data in any form – even login credentials. I am sure almost all webmasters must be going in for the patch but there is still a problem. Once you are sure that there are no vulnerabilities or such vulnerabilities have been patched, it might be a good ide to change your passwords.
Site Certificates copied via Heartbleed needs to be addressed
There are high chances that website security certificates might have been copied for creating malicious websites. Since the security certificates as general copies, your browsers may not tell the difference. It is you who has to remain cautious. Avoid clicking links and instead, type the URL of website in the address bar so that you are not redirected to some fake site.
This problem can be solved in two ways:
The browsers available in the market should be made smart enough to identify copied certificates and alert you.
The webmasters change the certificates after applying the patch.
In other words, it will take some time to implement above even though the webmasters apply the patch. I would want to reiterate that do not click links in emails or non-reputed websites. Simply, type the URL into address bar or if have the original site bookmarked, use the bookmark.
The References section at the end of this article contains an incomprehensive list of affected websites. Incomplete because there may be more websites affected than the ones listed there.