OpenSSL Heartbleed, what is it and what does it mean for security?

We also found out that the Heartbleed bug is in a version of the OpenSSL software that’s two years old — so this vulnerability could have been attacked for a very long time by someone with the resources to exploit it. 

Sophos security experts helped us to understand Heartbleed and what it means, how to protect yourself, and why we should all be thankful for open source software, even if it’s not perfect.

Chester Wisniewski, Sophos senior security advisor, let us in on what Heartbleed is and why it’s so important for security on the Internet. Chet explained that OpenSSL sends a small packet of data back and forth between web servers to make sure the connection is still working, what’s called a TLS Heartbeat.

Only now it turns out that web servers could be tricked into sending huge amounts of system-stored data in response to a Heartbeat ping — data which could include passwords and encryption keys. In an opinion column published on CNN.com, Chet described how two-thirds of all websites were vulnerable to Heartbleed. Fortunately, most major Web services have already applied fixes to the affected Web servers and services. The bad news is that smaller websites as well as many companies’ products that rely on OpenSSL may linger for many more years without a fix.

Chet told BuzzFeed that an even bigger concern is who might have known about the Heartbleed bug before the rest of us caught on — and the most likely organization to know would be the U.S. National Security Agency (NSA), which has the means and an interest in finding such vulnerabilities.

“That’s exactly what the leaked NSA programs are supposed to do: Find the flaws, exploit them and never tell anyone,” Chet said. According to Chet, the “open” part of OpenSSL means this vital security software is maintained by volunteer researchers, not commercial interests. And that means we should be focusing our attention on supporting the open parts of the Internet that we rely on for freedom of communication.

All of us have come to rely on the Internet socially, politically and economically. The billions of dollars a year being made by the tech giants would not be possible without the millions of donated hours that maintain free and open software like OpenSSL, Linux, Apache Web server, and Postfix mail server.

You can read the original article here.