Multiple sites are reporting tonight about an OpenSSL crypto bug that could have an affect on anywhere from 50% to more of Internet traffic. Called the Heartbleed Bug, the flaw was discovered and reported by Neel Mehta of Google’s security team. A patch has been issued. Because of the nature of the bug and the fact that it has existed for over two years it might mean that damage may have already been done, and may still occur.
OpenSSL is something that is a part of our Internet lives that most probably don’t know about. It is a cryptological library used to secure a large portion of the Internet’s traffic from email to instant messaging to browsing the web to some VPNs. As Apps and websites send data back and forth, if they encrypt it there is a better than average chance that OpenSSL is in play.
Why is this a bad thing? Here’s a quote from the Heartbleed Bug blog:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
The scope of the problem is that the hole has been open for over two years. Malefactors could have been gathering sensitive data during that period and with access to the crypto keys could wreak havoc. Even more frightening, the bug leaves no trace of itself in logs, so there is no way to backtrack and see if data was stolen or not.
As long as systems remain unpatched there is obviously a problem. The emergency patch is called Fixed OpenSSL and was issued today along with the warning.