SSL & Heartbleed: What You Need to Know

It’s only a short time since a team of security researchers announced the discovery of “The Heartbleed Bug” which then sent shock waves through the online world.

The flaw was found in Open SSL, which is used across the net as the basis for various day to day usage security systems. Essentially, the discovery meant that millions of users of some of the best known websites and brands in the world may have had a vulnerability allowing their data to be targeted by hackers.

SSL encrypted communications work via a system of secret keys and if a malicious third party can intercept and decrypt them they can, amongst other things, impersonate service providers and uncover passwords and other sensitive information.

Business risks

For businesses, any threat to online security is of the utmost importance and needs to be tackled immediately. Any company using an SSL system that may be affected by Heartbleed should have taken measures to let all of their customers and clients know and give them appropriate advice on actions such as updating passwords.

Businesses should also have replaced the certificate on their web server after moving to a fixed version of Open SSL.

End user actions

Vigilance and awareness are the watchwords for end users who think they may have been affected. Once a vulnerable organisation has let customers know that they should change their passwords the advice should be acted upon straight away.

Phishing emails from attackers asking for updates to passwords are another threat and all efforts should be taken to ensure that users are logging onto official websites and not impersonated versions.

Software

The flaw only relates to the way Open SSL handles SSL/TLS during handshake so only servers using Open SSL libraries are affected and no other server software has associated problems.

Even those businesses which take advantage of cheap SSL certificates will most likely not face any extra outlay as replacement versions are often free.

Fixes

As long as a vulnerable version of Open SSL is in use it can be targeted by hackers but the fixed Open SSL has been released and all operating system vendors, appliance vendors, and independent software vendors who may have been affected should have implemented the fix by now.

This particular bug hit the headlines because it left large amount of private keys and other data exposed and the length of time the flaw has been open means that a the possible damage done is hard to quantify.

[Image: EFF Photos]

ORIGINALLY PUBLISHED ON

in

Software

Leave a Comment