Hi tech community,
Some of you may have been made aware, but others may be not. Recently there was a pretty nasty bug discovered in OpenSSL's implementation, which poses quite a security risk to any online entity that was relying on it.
The technical details are at the bottom of the post, as well as short analysis, but Mashable has a list of passwords you may need to change right now, although some are in the "better safe than sorry" realm - http://mashable.com/2014/04/09/heartble ... -affected/
What is it?
There's a tiny vulnerability in the code that handles TLS 'heartbeat' messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server's private key material, an attacker can potentially obtain:
1. Long-term server private keys
2. TLS session keys
3. Confidential data, like passwords
4. Session ticket keys
Any of the above may allow an attacker to decrypt ongoing TLS sessions or steal useful information. However item (a) above is by far the worst, since an attacker who obtains the server's main private keys can potentially decrypt past sessions (if made using the non-PFS RSA handshake) or impersonate the server going forward. Worst of all, the exploit leaves no trace.
While the issue itself was introduced with 20 lines of erroneous code, we cannot be mad at the OpenSSL community, which is relatively small and works with essentially no pay.
P.S. I laughed hard at the late night news yesterday claiming a global hacker attack has been initiated and we need to save ourselves ASAP. Nothing like that, really. Don't panic, just the next wave of pro-active password changes.