The web data started to bleed out on Monday night when a bug named as Heartbleed was reported in OpenSSL library by the Google security team “Cedonomicon”. It is marked as one of the biggest and most devastating security threats that the internet world has ever seen. The bug affects many popular websites and could have quietly exposed your sensitive information to deadly online threats.
What Are OpenSSL And Heartbleed?
For the web of twenty years ago to become the web of today, a security layer was an essential need for people to securely transmit sensitive information and carry out online monetary transactions. SSL/TSL protocols became the de-facto security layer. It is an open source protocol that secures much of what you see on the web.
A newly discovered bug ‘Hearbleed’ in openSSL library has flushed the trust of twenty years down the toilet. The vulnerability of OpenSSL is present from last two years that can allow anyone with remote access to get hold of your passwords, emails, banking transactions and content that you send to seemingly secure website. As you can see, this is a big deal!
Why Heartbleed is Your Worst Nightmare?
Explaining ‘Heartbleed’ in his article, security expert Bruce Schneier said:
“Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11. That’s about right”.
So, why Heartbleed is so bad? And why has it become such a big deal?
Imagine this: You and your girlfriend designed a secret language to heat up your romance and you two are the only people to know that language. You had a key to decode the messages you sent in your secret language. And one day, BOOM! You’re busted because your secure key has been stolen and all your personal/private messages are open for all to read. That’s what Heartbleed is. Makes your heart bleed, doesn’t it?
OpenSSL is a major part of modern internet world. Most popular websites like Facebook, Twitter, Airbnb, USMagzine.com, NASA, Creative Commons and some others are running SSL encryption.
While most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.
Fixing The Bug is Not That Simple
This vulnerability can affect any website and service running specific versions of OpenSSL (1.0.1 through1.0.1f). So, any app or bank or website using OpenSSL (1.0.1 through 1.0.1f) from 2012 is vulnerable to this bug.
Heartbleed vulnerability has been operating from the last two years without any detection. In addition, it is designed in such a way that after spending lots of efforts and lots of time, some of the private information could be accessible.
Many websites are still catching-up with the situation and entities like ‘Tor Project’ have advised people to stay away from the internet for a week, if you really care for your security.
It is also a fact that many websites don’t run on SSL encryption, and most of the websites using OpenSSL have been running the latest versions. All these website will have nothinfrom Heartbleed.
One of the messages on the Heartbleed homepage, site to address the bug, stated:
“The Heartbleed bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content… As long as the vulnerable version of OpenSSL is in use it can be abused.”
So, What Next?
Heartbleed is just like a scary movie that has no ending in sight, for indefinite time period. Meanwhile, there are 3 ways by which you can secure your web from Heartbleed, and they are:
- Wait for an official announcement for security patch from website or service that you normally use.
- Once the site or service has installed a security update, change your passwords.
- For at least a week, keep an eye on all of your sensitive online transactions for suspicious activity.
PureVPN’s Update on Heartbleed
PureVPN uses SSL-based encryption to secure its users’ online information and identity. In order to avoid Heartbleed, PureVPN has updated its OpenSSL version previously and we are continually monitoring our services to avoid any vulnerability.