13334048894_001d3e53d1_b

OpenSSL ‘Heartbleed’ Bug Leaves Millions of Sites Vulnerable

April 9, 2024         By: Kevin Xu

There’s a critical flaw in the heart of Internet security.

Every time you send an email, log on to your bank accounts, or use your credit cards to shop online, the information sent over the Internet is encrypted to protect against snooping.

One such encryption method, called OpenSSL, is widely used across the web to protect sensitive information. It’s open-source software, meaning the code is available for developers to peruse and improve upon.

Developers can use and incorporate it into their mobile apps and web offerings instead of writing their own encryption method.

OpenSSL has a feature called “heartbeat” which allows one side to ping an OpenSSL using web server to send over the content saved in memory, up to 64kb.

Essentially, a hacker can trade 1kb of information for 64kb of random information from the victim. This data may contain anything from passwords, to usernames, private encryption keys, and other sensitive info.

This vulnerability, called “Heartbleed” leaves no trace behind, and worse yet, it’s a vulnerability that has been in effect for two years.

Major online services such as Yahoo and millions of other websites were vulnerable, but a patch has since been released to address this bug, with server admins quickly scrambling to implement the OpenSSL 1.0.1g update.

The most frightening part of all this, is that it will be impossible to tell if and for how long data has been compromised.

While most banks use proprietary or modified encryption software to secure information, it’s likely some financial institutions have found themselves vulnerable to Heartbleed.

Worse yet, if passwords and usernames have been compromised from one site, then it’s highly probable that the same credentials can be used on other sites. A study conducted by the University of Cambridge in 2011 showed that almost 50 percent of internet users reused the same password for multiple sites.