‘Heartbleed bug’ puts Web security at risk as Virus In Protocols Used By 75% Of Servers Leaves Millions Vulnerable To Data Theft
A vulnerability in the OpenSSL program could compromise encryption on much of the Internet, putting passwords and data at risk. Experts say now is not the time for online banking.
A serious bug in security protocols used by over 75% web servers has left millions of internet users vulnerable to snooping and data theft. The bug, which was found in OpenSSL protocol has been dubbed Heartbleed because of how it allows “bleeding of data” from a web server.
Cyber criminals and hackers can exploit the bug to steal information such as private encryption keys, passwords of users, credit card details that users provide during e-commerce transactions and virtually every other piece of data transmitting on the affected website. They can also capture user data like chat logs for snooping.
The risk to private encryption keys is particularly worrisome. “These are the crown jewels… Leaked (private) secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service (like a social networking website or an email service) at will,” OpenSSL explained a website set up to inform public about Heartbleed.
While large companies like Google and Facebook, which run their own customized security protocols, are probably safe, Yahoo was among the millions of websites that seem to have been affected. Yahoo officials on Tuesday said that they have taken required measures to secure Yahoo servers against Heartbleed.
The bug is so serious and widespread that Tor Project, which manages the anonymous (and popular) Tor network, has advised web users to go offline for a while. “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle,” it said in a blog post.
Bruce Schneier, a cryptographer and one of the top computer security researchers, called the bug catastrophic. “On the scale of 1 to 10, this is an 11,” he said. Though Heartbleed was discovered on April 7, it had existed for more than two years. “This bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously,” explained the Heartbleed website.
After the bug was disclosed publicly, thousands of websites have patched and updated their web servers. But given the nature of the bug, large parts of the internet remain vulnerable.
While Heartbleed directly affects web servers, the average web user invariably ends up a victim. In an answer to a question — Am I affected by the bug? — the OpenSSL website notes, “you are likely to be affected either directly or indirectly”. “Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions,” notes the website.