What is the Heartbleed Bug all about? Be safe, Change your Password.


This Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520); and hence the name Heartbleed bug. This bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Neel Mehta of Google Security discovered this bug.

OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. So you are either affected directly or indirectly. Everything you use, be it your bank website, social networking, e-shopping or even your company website can be affected.

heartbleedThe Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Have a look at this article from mashable, where they have listed out the services/websites affected, and they have recommendations for you.

No matter how strong your password is, you need to change it. Changing the password on sites that are still vulnerable to the Heartbleed bug at least ensures that you’re not exposing other sites that use the same password.

If you are a Google Cloud Platform or Google Search Appliance customer, read the below instructions which Google has listed –

Google is currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions hereCustomers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions hereWith regard to the Google Search Appliance (GSA), The engineers are working on a patch. The GSA team is finalizing their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.

Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Source: OpenSSL Security Advisory