What is HeartBleed
CVE-2014-0160 is the official name (but called HeartBleed) and its a bug in OpenSSL which is a popular set of cryptographic software.
Openssl is used to protect the browser traffic to and from as many on two thirds of all servers on the Web. It is also used to protect email servers, chat servers, and VPN services.
Heart Bleed bug lets hackers steal information – usually – is protected by encryption ssl/tls. Using a hole called heartbeat, which allows web servers maintain secure connections open over a long period.
How was the bug discovered?
Heart Bleed became officially known on Monday night in connection with a bug fix that closed the hole. Behind the discovery was three Finnish security researcher at the company Codenomicon and one security expert at Google.
Extra precarious is that this security hole has been in the Open SSL-code since December 2011 and was distributed on the web in conjunction with OpenSSL v1.0.1 which was released in March 2012.
How serious is this?
That the bug have been out there for two years makes it difficult to assess the damage it has done – it is simply not known whether actors with an interest to acquire sensitive information have been aware of the hole before it were stopped this week.
It is clear that a long, long list of sites and services have had problem before the bug fix was released. This ranges from Yahoo!, Flickr, and Steam and lots of newspaper sites, even servers at Amazon are among those affected.
What can the average user do to protect themselves?
Not much… But the basic thing is to change the password on those sites and services where sensitive or personal information occurs, whether it is email, chat services or logins to newspaper sites or/and social media.
You can also check if certain services have clogged the hole or not on a special “Heart Bleed checker” set up for the purpose click here for one of many. Sites that are still exposed, you should not logged on.
What should a system administrator do?
All server owners must immediately, preferably the day before yesterday, update OpenSSL to version 1.0.1g . Also, all ssl-certificate should be renew, even if it is complicated and takes time. And he/she should also force all user to change their password.