If you’re an Internet junkie then the chances are high that you’ve come across the Heartbleed OpenSSL bug that rose to prominence on Monday. A number of extremely popular and frequently visited websites such as Pinterest, NASA, StackOverflow, OKCupid and Airbnb have the OpenSSL cryptographic library embedded into their architecture, and therefore have become immediately susceptible to the bug. Heartbleed was initially discovered by a Google security engineer in conjunction with Codenomicon, but what does it mean for you and your Internet usage?
OpenSSL is essentially an open-sourced library that implements the features of SSL/TLS that effectively make the Internet secure. Due to its open-source nature, OpenSSL is the cryptographic library of choice for the majority of Internet based servers and ships with every installation of the Apache Web Server. The Heartbleed bug has been found exist as a “serious vulnerability” within that OpenSSL library that allows information that would normally be protected by the SSL/TLS encryption to be accessed and stolen by non-authenticated entities. In simple terms, anything that is ‘protected’ by a vulnerable installation of OpenSSL is accessible over the Internet.
As pointed out by a number of sources, the recently discovered bug affects Web-based servers that are utilizing the Apache and Nginx software, which is an extremely common setup across the Internet. Because SSL/TLS encryption provides a layer of security for Web access, email usage and instant messages, the existence of Heartbleed means that users interacting with any of those services could potentially leak secure information such as usernames, passwords or other sensitive data if they’re going through a website with an affected installation of OpenSSL.
As you might expect, a number of the world’s largest websites have acted quickly to protect themselves and remove the bug by updating to the latest version of OpenSSL that includes a fix for Heartbleed. Yahoo, WordPress, AWS and a number of others have all taken prompt and decisive action.
The news is a little more positive for the likes of Google, Evernote and Foursquare who haven’t been affected by the issue at all. If you’re overly worried about Heartbleed, or concerned that it could affect some of the websites that you visit frequently, then head over to Heartbleed Checker by pointing your browser to: lastpass.com/heartbleed/ to check if the vulnerability exists on a specific URL.