Popular web encryption software OpenSSL might have been the preferred choice when it came to making secure transactions on the Internet, but a recent bug in its heartbeat feature can expose user information to malicious websites. The Heartbleed Bug was made public yesterday and it impacted almost every online service that used OpenSSL for data encryption. This includes services provided by companies like Google, Facebook, Yahoo and others. While you thought that your transactions were secured, the existence of Heartbleed Bug puts that sense of security into question. The Heartbleed Bug has existed for about two years and could have provided a backdoor entry to our encrypted information to malicious hackers as well as government agencies like America’s NSA. We take a look at what the Heartbleed Bug means to Internet users.
Secure Sockets Layer (SSL) is a commonly used encryption protocol which makes websites invulnerable to attacks by malicious websites that seek users’ data. Google, Facebook, Yahoo, and Microsoft use SSL encryption for security, and it has been the standard for most others, while OpenSSL is the open-source software which most of the websites are based on.
To keep the security tight, a few years ago, SSL introduced a feature called heartbeat. The feature required transfer of a short message from one computer to another on the SSL connection, to verify each other’s presence. This helped in proving the authenticity of the computers so that information doesn’t land in the wrong hands.
But it looks like this feature in OpenSSL can be tricked, which means that if a fake heartbeat message is sent, information on the server’s memory can be accessed. This means vital information stored in the computer’s RAM that includes usernames and passwords, credit card information and secret keys can be accessed. These secret keys, if landed in wrong hands, can unlock the coded and encrypted information. Once a malicious website masquerades as a real user, with the help of these secret keys, other users can also be made to share their personal data.
OpenSSL has had this Heartbleed Bug for about two years, Vox.com reports. Discovered by Codenomicon and Google Security, the bug can not just expose data to hackers, but can it make easy for agencies like the NSA to read all the private conversations and check users’ data.
While since this is a flaw at the websites’ end, there’s not much that users can do, but as the report suggests, it would be good for users to change their corresponding passwords once the websites are updated. Talking about the websites, Google, Facebook, and Yahoo, had already patched their sites before the Heartbleed Bug was made public and shifted to the latest version of OpenSSL.
You can read more about the Heartbleed Bug here.