Heartbleed Bug Has Been Around for 2 Years, Affects Two-Thirds of the Internet
A critical flaw that has been with us for some time and could be around for months to come leaves much of the Internet vulnerable.
A critical flaw that has been with us for some time and could be around for months to come leaves much of the Internet vulnerable.
Called Heartbleed, the bug affects OpenSSL, a back-end encryption standard that is used by as many as two-thirds of servers connected to the Internet, including many owned by Yahoo.
It was discovered by a Google researcher and could theoretically allow attackers to steal a server’s private encryption keys and intercept traffic.
Although a patch already exists, The Verge reports that vulnerabilities could persist for some time:
For most privacy tools relying on OpenSSL, the takeaway is catastrophic. A blog post from the Tor Project told users, “if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle.” In many cases, a few days may not be enough. It will give services time to patch their servers, but if any private keys were compromised before the patch went up, it would give attackers free rein in the months to come. Servers can reset their certificates, but it’s slow and expensive, and experts suspect many of them may simply assume the patch is enough. “I bet that there will be a lot of vulnerable servers a year from now,” [ICSI security researcher Nicholas] Weaver says. “This won’t get fixed.”
Apple, Google and Microsoft appear to be unaffected, along with the major e-banking services. Yahoo, on the other hand, was affected and leaking user credentials for a significant portion of the day. (A Yahoo representative tells The Verge the core sites are now patched, although the team is still working to implement the fix across the rest of the site.) More generally, any server running OpenSSL on Apache or Nginx will be affected, which implicates a huge variety of everyday websites and services.
You can read much more about Heartbleed here.
Stay safe.
— Posted by Peter Z. Scheer
WAIT BEFORE YOU GO...This year, the ground feels uncertain — facts are buried and those in power are working to keep them hidden. Now more than ever, independent journalism must go beneath the surface.
At Truthdig, we don’t just report what's happening — we investigate how and why. We follow the threads others leave behind and uncover the forces shaping our future.
Your tax-deductible donation fuels journalism that asks harder questions and digs where others won’t.
Don’t settle for surface-level coverage.
Unearth what matters. Help dig deeper.
Donate now.
Researchers have discovered a security flaw "bigger than Heartbleed," the bug that affected nearly every computer user earlier this year, in one of the most fundamental points of contact between users on the Internet.
One lesson of the Heartbleed bug is that the U.S. needs to stop running Internet security like a Wikipedia volunteer project.
Would You Trust The NSA’s Advice On How To Deal With Heartbleed? (via Techdirt) Somewhat late to the game (by about a week), after the Heartbleed vulnerability was publicly revealed, and a few days after it was reported and denied that the NSA was already well aware of Heartbleed and exploiting it, the NSA has […]
In violation of one of its primary missions, the National Security Agency has kept secret the biggest threat to Internet security in memory in order to exploit it, sources say.
You need to be a supporter to comment.
There are currently no responses to this article.
Be the first to respond.