Archives

Security bug: The internet bleeds passwords

A particularly serious security bug was discovered in the code that encrypts the name, password and other information we type in web sites.

Major sites have announced they fixed the bug, but many smaller sites may still be affected.

The security issue exists in hundreds of thousands to millions of locations worldwide, and provides access to personal information of users such as names, passwords and other information.

Some sites like Google, Facebook , Yahoo, Amazon and others announced that they have fixed the bug that  got the name “Heartbleed”, however it is not precisely known what about many other sites. The scope of whether and what information was revealed is unclear.

It turns out that the security bug exists for two years now in the common OpenSSL software that is used by many site, especially by browser plug-ins that aim to encrypt the information you put in sites that then moves from your computer via wireless networks and servers over the Internet to the site you listed.

The bug causes information to be available to hackers who watch your network, fish it from your computer memory or pose as legitimate server to gather the information.

It is estimated that it will take a few days or weeks until all sites will be able to fix the bug. The CERT that operates under U.S. administration issued a message intended for webmasters and which calls for urgent repair of the bug.

What to do?

Not much. Better wait for the webmasters to handle the problem.

There are conflicting advices of security experts and webmasters for action on the part of users. On one hand, a proactive password change can protect us in the case that the password was stolen. On the other hand, the password change can actually reveal your old and new passwords and create an issue with sites that not yet fully solved the problems that the bug caused.

Either way, the latest version of OpenSSL released last Monday is fixed from the bug problem, allowing publishers to install and update immediately. However, additional actions are required on the part of webmasters, such as creating a new encryption, to ensure that the information of all their customers and users is protected.