greybeard
Well-known member
If you make purchases on line, do online banking or do anything else that might have included your personal information, read and heed. It's been around a while, so your info may already have been exposed. Most websites have already patched their securit protocols, but because it's been around so long without detection, the exploit is still dangerous.
The problem is in the encryption process/protocol itself--that little lock you see near the address bar on your browser when doing on-line transactions doesn't necessarily mean it is/was a secure transaction.
http://www.thewire.com/technology/2014/ ... et/360366/
http://venturebeat.com/2014/04/08/what- ... -at-least/
The problem is in the encryption process/protocol itself--that little lock you see near the address bar on your browser when doing on-line transactions doesn't necessarily mean it is/was a secure transaction.
http://www.thewire.com/technology/2014/ ... et/360366/
http://venturebeat.com/2014/04/08/what- ... -at-least/
There's a security flaw in one of the basic encryption tools used by a huge number of websites, and it probably affects you.
Just to be safe, you should probably change your passwords. All of them.
The flaw goes by the appropriately scary name "Heartbleed," and it affects OpenSSL, a data encryption library used by — potentially — more than two-thirds of the Internet's websites.
In short, the bug means that attackers can "listen in" on communications between those websites and the browsers visiting them.
That "lock" icon that appears in your browser to indicate that you're communicating with a secure website is an indication that your browser is using SSL. If it's doing so with a website that's using a relatively recent version of OpenSSL, your data could be compromised.
The flaw exists in versions of OpenSSL that have been in use for about two years, and no one knew about it — no one legitimate, anyway — until a few days ago. Since then, the security researchers who discovered the bug have notified some of the major affected websites as well as the organization responsible for OpenSSL, which has already issued a fix. They have also published an informational web site, at Heartbleed.com. That means major web sites should be fixed soon, if they aren't already — but given how widespread the bug is, it may be weeks, months, or even years before the affected version is completely out of distribution.
"Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," the researchers wrote on Heartbleed.com.
If any malicious people knew about the bug before it was first widely publicized yesterday, they could have been using it to snoop on supposedly secure browser-server communications for as long as two years — since the first vulnerable version of OpenSSL appeared in December 2011. That means the bad guys may already have your passwords.