OpenSSL, a library of security and cryptographic algorithms, was discovered to have a vulnerability that’s been present as far back as two years. Many websites and apps that you use every day are affected by this, and they are scrambling to fix the issue. Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey.
What was the impact?
Some secure websites relied on potentially-exploitable OpenSSL libraries. Most have patched these sites with an update fixing the vulnerability, and have replaced their security certificates. This means that there should be no way for anyone to exploit these websites (for now), or decrypt traffic coming to and from them, even if they had been compromised. Be sure to keep all of your business networks secure and up to date.
How does this exploit work?
This vulnerability may have allowed malicious hackers to capture small bits of data on secured systems, including user account information, such as passwords, as well as the systems’ security keys themselves. This could allow unencrypted eavesdropping even after the vulnerability is closed, if the system’s security keys haven’t been changed. Unfortunately, there’s no way to know if anything actually was compromised, as the exploit leaves no trace. It’s that bad.
At this point, many affected websites across the Internet are applying the patch and getting new security certificates. You can think of this as replacing the deadbolt and rekeying the lock. Some websites you use may ask you to change your password in the coming days as an additional precaution. A good practice to follow:
Make sure you do not click links in emails. Make sure you go to the website directly, and only if you have been prompted.
Wind: 6 mph
28 Jul 2014
29 Jul 2014
We are working on bringing more user interactive features, check back often.