The Heartbleed vulnerability

What is the Heartbleed Bug?  And why is this recently discovered software flaw triggering so many alarm bells?

Let me begin by explaining that the Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What type of devices, aside from web servers, are affected by Heartbleed, you ask?

First of all, OpenSSL is used in many other places, not just web servers. SSL VPN for example, uses it.  Encrypted FTP might use it as well.  Any time you have a server application that uses encryption, OpenSSL is likely to be involved. So it isn’t so much as what type of devices, but rather, what types of applications. This is a server side vulnerability, which will affect any server application using encryption, including proprietary applications.

Next, the issue of updating – how likely are they to be updated? My answer is short and sweet, they_had_better_be. This vulnerability is serious and not yet fully exploited. I wouldn’t be surprised to see various exploits pop up in the next days.

continue reading »