“Heartbleed” security exploit of OpenSSL causing heartache for millions of internet users. Major websites affected include Yahoo & GitHub, among others. According to the UK Daily Mail:
Heartbleed, so called because it creates a ‘bleeding’ leak of security, is a flaw in OpenSSL, the software used by the majority of websites to keep data secure.
The programme works by encrypting data – such as emails, instant messages, bank details or passwords – making it look like nonsense to hackers.
When a line of communication is secure and information encrypted, the user sees a padlock on the page. When software is active, one computer may send a ‘heartbeat’ – a small packet of data – to check there is still another computer at the other end.
However, a flaw in the programming meant it was possible to trick the computer at the other end by sending it a packet of data that looked like one of these heartbeats. This made it possible for hackers to impersonate the website and steal the encryption keys, revealing the data being sent.
The bug was found simultaneously by a Google security researcher and a small Finnish security firm named Codenomicon and disclosed on Monday night.
Heartbleed SSL domain checkers have been set up by several firms, including Qualys and LastPass. These checkers let users know if the website’s certificates have been updated properly, and provides a secure link to help update the user’s password for that site.
According to an update posted on cNET, the LastPass site now has added automatic validation for any sites their users have previously bookmarked.