It’s reassuring when you see the https:// prefix to a webpage and know that you can securely enter personal details and passwords. Well it seems that for the last two years your trust has been misplaced. Following a routine update to the OpenSSL encryption software (one of the most common used in the Internet) two years ago a bug was introduced which left a door open to the encryption routine. It’s not a case of malicious malware, more likely sloppy coding.
The flaw named Heartbleed was jointly discovered by the Finnish security company Codenomicon and a researcher working for Google Inc., fingers crossed, they are the first to have noticed. An updated version of OpenSSL which plugs the hole was released on Monday 7th April but it’s important for all administrators of websites using the security software to ensure they are using the most recent release.
Should you worry? The social networking web site Tumblr issued a warning on Tuesday after they installed the patched version of OpenSSL: "This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug." Before you change passwords its important to make sure the web site is using the latest software version.
Image courtesy of Heartbleed.com