This week’s news has contained a lot of info about the so-called Heartbleed Bug. Here’s a quick snapshot of what you need to know as an organization and what your users should know.
First, Heartbleed is tied to what’s called ‘OpenSSL’ security implementation on computer systems – primarily Linux systems. Windows systems appear largely unaffected. SSL provides communications security and privacy over the Internet for applications such as web, email, instant messaging, and some virtual private networks.
The implications are pretty serious. In testing by Codenomicon, access was achieved to systems from the outside without leaving a trace and testers were able to gain access to user names and passwords, messages, emails, and business critical documents.
Netcraft has reported that many sites are already deploying new certificates in response to this issue including, Yahoo, Adobe, CloudFlare, DuckDuckGo, GitHub, Reddit , Launchpad, PayPal, Netflix and Amazon’s CloudFront content delivery network.
If your organization has Linux systems you should immediately test them using publicly available tools and if you have a problem, deploy a new, fixed OpenSSL solution ASAP.
What do you do as a user? If you can connect to a site or appliance using HTTPS, and it’s not running on Microsoft Windows, consider it vulnerable until proven otherwise. Look for confirmation from the site that it has tested for the vulnerability and it has either corrected it or verified it isn’t affected. And of course, this would be a good time to change your passwords for any SSL secured sites – just as a precaution.