For the past year, we've been hearing and reading reports of government snooping on digital communications and received assurances that the trusty old SSL encryption protocol that serves to secure everything from bank transactions to password entry can be trusted to put up a good deal of resistance against would-be attackers.
Well, all that bravado may turn out to be in vain, as researchers at Google Security and Codenomicon in Finland have discovered a security flaw so basic, that it requires no particular preparation to exploit and targets may be as prevalent as half (or up to 2/3) of all Web servers.
But what does 'exploit' mean? Simply that a programming mistake that fails to limit the amount of data a program is expecting can cause the server to spew out all its secrets. Everything from encryption passwords to your secure connections to usernames, passwords and the sensitive data you exchange with banking, medical, ecommerce, social media, email, instant messaging and other servers can be affected.
Want to know if your favorite site is affected? Simply go to the Heartbleed Test site and type it in.
This is a big one, and what's worse, it's been around since 2011. Worse yet, it's undetectable. It leaves no trace in server logs and if anyone has ever stolen the data from your Internet service provider, bank, or any of the sites you 'securely' log into, it will be next to impossible to ever track back.
Oh and it gets just a little worse than that: with the stolen encryption keys, attackers can not only view all your transactional data and live streaming content, but also inspect all the traffic that has been captured since the vulnerable version of OpenSSL was installed, potentially as far back as December 2011 or March 2012. That is, unless your particular server has something called Perfect Forward Secrecy, which limits the exposure of any data to the current session and not any from the past, but most organizations haven't yet gotten around to adopting this level of protection.
So what's to do? If you're a company and or know one you're concerned about, I've set up an email hotline to help advise and independently verify their remediation efforts. Simply email Verify@Heartbleed.ca and a member of my security team (or I) will respond.
If you're a partner, employee, user or individual stakeholder with personal or sensitive information at risk, ask them to get in touch and ask for my 7-step Heartbleed Remediation Checklist. They'll be glad they did. Unfortunately individual users can't do much more than reset their passwords and hope their favorite site doesn't show up on the list of vulnerable servers. Even in those cases, prospects so far are bleak, with an estimated 56 million installed Apache Servers, most of which are running OpenSSL, companies have a lot of work ahead of them. Sorry, no good news today!