Researchers have discovered a long standing vulnerability in the way most websites and many other online services such as email and VPNs, encrypt and secure your communication (OpenSSL).
The OpenSSL vulnerability is reported to have been around since 2011. Following recent publicity, there is growing evidence to suggest that websites are being targeted using this vulnerability.
Around two-thirds of websites and many other services currently use affected versions of OpenSSL (which stands for Open Secure Socket Layer, the most common cryptographic software used on most web servers). You would recognise websites using OpenSSL by the small padlock icon in the browser address bar or the ‘s’ added to the ‘http’ prefix for web addresses.
An attacker could use this vulnerability (also referred to as ‘Heartbleed’) to read the memory of systems protected by OpenSSL, which exposes the secret keys used to encrypt traffic, names and passwords, and even content.
It means a hacker can eavesdrop on your communications with a website or service, steal data directly from a website or user, or impersonate a website or user.
There are a large number of affected websites and other services, including, for example, Yahoo (now fixed). Most reputable organisations should already be updating their OpenSSL and renewing certificates to address the issue, however, with so many sites potentially affected, some may not be updated as quickly.
More information is likely to emerge about this issue in coming days.
What can you do?
Each website or service will first need to be fixed by its administrator.
You can also contact any website or service provider you use and ask them if the issue has been addressed.
Once this is done, you should also consider changing your password for any accounts you have on affected sites—particularly if they relate to sensitive, personal or financial information.
Affected websites may begin notifying users to change passwords if they consider it important, but unfortunately, there is no guarantee websites will do this.
If you are a business who operates a website, you should be taking steps to address this issue.
You can check a website’s OpenSSL vulnerability here.
Heartbleed.com explains the technical detail of the issue.