The IT world got a nasty little surprise on Monday, an OpenSSL Security Advisory, this bug was quickly named the Heartbleed bug and put a good percentage of secure transactions on the Internet at risk.
What is the Heartbleed Bug?
The bug can be used to reveal a chunk of working memory, whatever was in the memory at the point the attack was made. This could let attackers pull the private keys to the server, let the attacker listen in on data traffic and potentially masquerade as the server. The really bad news is the bug has been around for two years, and it’s still unclear how long anyone has known about it, or whether it has been exploited.
The software that is vulnerable to this is the software used to manage SSL connections to around two thirds of servers on the Internet, amongst the big names that were vulnerable are Yahoo, Flickr and LastPass.
Fortunately it is a fishing game, the attacker will not know exactly what they are going to catch when they make the attack, but the encryption keys for the server are obviously a primary target as they are kept in working memory by necessity.
Many involved in security have advised users to steer clear of the Internet for a few days until this storm blows over!
What are we doing about it?
Yesterday, we patched all of our servers and contacted all of our SSL clients to recommend they re-issue their certificates, where necessary we are working with clients to help them do this.
We have also re-generated all our service certificates that secure email etc.
For now, we suggest you remain careful about what sites you trust – an SSL certificate at the moment isn’t necessarily secure!