What Is OpenSSL?!
OK, so I mentioned OpenSSL twice and didn’t even explain it to you. Do you see the little lock icon next to the “https://” on your browser when you enter “secure” sites? It looks something like this on Google’s Chrome web browser:
When you see that, you’re using a special form of encryption known as secure socket layer (SSL) or transport layer security (TLS). To provide services with this encryption, you need an algorithm that will provide the encryption/decryption for the packets you exchange with the server. This means that they need to have a way to translate your text into unreadable gibberish and then translate it back from that into the readable form on their own end. Using this technology, if a hacker somehow manages to interfere with your connection to the server, all he’ll read is a long string of babble. Now, we get to the part (finally) where we explain what OpenSSL is: It’s a free and open-source implementation of SSL/TLS protocols. With this technology, anyone can provide encrypted services to you. Many companies you have accounts with may use OpenSSL to encrypt your data. But what if OpenSSL has a bug that completely defeats the purpose of encryption?
The Bug Explained
On April 10, 2014, the folks at PerfectCloud, an identity security company, have reported on a massive hole in OpenSSL’s coding known as the “Heartbleed” bug. For two years, we haven’t seen a new version of OpenSSL, and during that time it had a problem in its code which exposed a bit of server memory. This memory chunk could contain the private keys that are used to encrypt/decrypt data. Ouch! What this means is that a hacker could discover the server’s cryptographic keys and simply decrypt everything you send to it, including your username, your password, and everything else that’s important and dear to you.
What Should You Do?
So, even if a company upgrades to the latest OpenSSL implementation, you’re still at risk for previous exposures. However, if there are any further hacking attempts, they won’t succeed. What you can do in this situation is change your password everywhere. Don’t let it wait. Just change everything so that you’re prepared if a hacker ever decides to try out your accounts.
Any More Thoughts?
This bug simply shows how delicate and interwoven the Internet is. Despite its booming security awareness and unregulated awesomeness, the Internet is still the internet, and it will always be under siege. What recommendations do you have for companies that use OpenSSL? How did your understanding of security ecosystems change? Are you confused about something? Post your thoughts on anything related to OpenSSL in the comments area below!