Get ready for a new interruption in your work day. A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.
This one is unlike most of the breaches over the past few years, in which a Web site got hacked or let its guard down. This flaw is in the SSL (HTTPS) code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites. The bug was found in SSL certificates using a common form of OpenSSL, which is used on servers to encrypt sensitive information to protect people’s privacy. At least 500,000 servers were reportedly vulnerable and I bet thats a low number. It primarily affects NGinx and Apache servers which by some accounts is more than 60% of web servers in use today.
Server admins are checking and testing to see if their SSL certificates are using the vulnerable version of OpenSSL and reissuing the SSL certificates using non-affected versions. You should change passwords only AFTER the new SSL certs have been issued.
OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. The beauty of OpenSSL is that it is primarily an open platform. So that when a vulnerability is discovered it is quickly announced and fixed. With proprietary systems, a bug could exist and only a handful of people are responsible for policing it. And if found, they may not tell anyone for fear of repercussions. Open source is a double edged sword for sure, but it slices both ways and that is a good thing IMHO.