A place for all things security.

Bug in OpenSSL puts secure online communications and passwords at risk

Apr 8, 2014 // Andrew Stroup

Computer security experts are advising website and network administrators to fix a major flaw in a type of software used by millions of websites to encrypt sensitive communications.

The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) encryption. Most websites use SSL, which is indicated in browsers with a padlock symbol. CommonKey uses TSL, which is a more secure encryption that was not affected by this vulnerability.

This bug could let hackers gain access to users’ passwords and fool people into using bogus versions of web sites. Some already say they’ve found Yahoo passwords as a result. Exploiting this bug essentially enables hackers to monitor all information passed between a user and a web service, or even decrypt past traffic they’ve collected.

The bug was discovered by researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google. The scope of this problem could be vast, as many modern operating systems may contain an affected version of OpenSSL.

Cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability. That tool showed Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected — but not Yahoo.

Other Web sites shown as vulnerable by this tool include OKCupid, Imgur, and Eventbrite.