If you haven’t heard of the Heartbleed bug in the past month or so, and you use computers – you seriously need to refresh your knowledge. The fundamental concept of “Open source is good because so many developers contributed to it” has been proved to be a myth as of the 7th of April 2014.
A major vulnerability in the OpenSSL crypto library that’s thrown open ‘private’ keys to hackers – affects half a million of the internet’s web servers and possibly billions of internet users. And could affect transactions to the tune of billions of dollars – all for some FREE software??
May have been a better choice to spend on some quality.
According to wikipedia, an analysis on GitHub of the most visited websites on April 8, 2014 revealed vulnerabilities in many including Yahoo!, Imgur, Stack Overflow, Slate, and DuckDuckGo. The following sites have services affected or made announcements recommending that users update passwords in response to the bug:
- Akamai Technologies
- Amazon Web Services
- Ars Technica
- Internet Archive
- Something Awful
Platform maintainers like the Wikimedia Foundation advised their users to change passwords.
The servers of LastPass were vulnerable, but due to additional encryption and forward secrecy, potential attacks were not able to exploit this bug. However, LastPass recommended that its users change passwords for vulnerable websites.
The Tor Project recommended that Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL, but noted that Tor relays use two sets of keys and that Tor’s multi-hop design minimizes the impact of exploiting a single relay. 586 relays later found to be susceptible to the Heartbleed bug were taken off-line as a precautionary measure.