Two days ago a critical bug in OpenSSL was reported by Codenomicon. The bug, termed Heartbleed, enables an attacker to eavesdrop on secure communications using various versions of OpenSSL.
OpenSSL is the most popular open source cryptographic library in use today. The Heartbleed bug capitalises on a flaw in OpenSSL’s implementation of the TLS “heartbeat” extension. The flaw has been around for the past two years, and exposes all sensitive data in system memory, such as login details, emails, etc.
It is relatively easy to carry out this attack, and it leaves no trace – no sign appears in the log files. In addition to eavesdropping on data in memory, the encryption keys can also be stolen.
Administrators need to update to OpenSSL 1.0.1g which has a fix for this bug. They also need to replace encryption keys that may have been compromised. Users of compromised sites need to change their passwords after the server-side fixes have been implemented. Changing passwords before server-side fixes is pointless – organisations need to notify their users when the server updates are complete and advise customers only then to change passwords.