A team of researchers from Codenomicon and Google Security have uncovered a major flaw in one of the most popular crytography library Open SSL, which it says may have exposed security keys for up to 66% of websites ranging from e-commerce to social media to blogs (just like this one) over the last three years.
In a blog post about the bug published yesterday, the team lays out a technical explanation of what’s at risk and why, and blames a “programming error” which allows attackers to read chunks of up to 64KB from a server’s memory as crypotography keys are exchanged. These keys are the tools used to encrypt traffic to and from your PC to a server provided by – say – a bank and are swapped during the password authentication ‘handshake’ of logging on to a site.
While the bug – officially designated CVE-2014-0160 and nicknamed Heartbleed – has been patched out of the latest OpenSSL libraries, the team believe that it has been in the wild since 2011 and that attacks made using this exploit would be undetectable. In other words, it’s impossible to know how many attacks there have been, and who has been affected.
As well as updating servers to the latest version of OpenSSL, the researchers recommend service providers revoke existing keys – which are provided by Certificate Authorities – and apply for fresh ones that haven’t been compromised.
Researchers at anonymity experts TOR point out that only more recent versions of OpenSSL are affected by the bug, and that its browser is safe as it doesn’t rely on that particular library for encryption. TOR node may, however, have been compromised by the bug.
The last security patch for Windows XP – which will be issued today – will also include a fix for the Heartbleed bug.