Advertisement
Advertisement

Want to avoid catastrophic Heartbleed bug? Stay off the internet

James Temperton
9 Apr 2014
Heartbleed Bug
Advertisement

Security bug could affect at least 66 per cent of websites and 500,000 secure web servers

A coding error at the heart of the web could let hackers steal the cryptographic keys used to secure online connections, putting every internet user at risk.

The bug, known as Heartbleed, affects web servers running OpenSSL, with estimates claiming at least 66 per cent of websites could be affected. Yahoo, OKCupid, the FBI and Imgur are all affected, while Google, Microsoft, Twitter, Facebook and Dropbox are not.

OpenSSL is used to protect sensitive data such as passwords, but the bug allows hackers to not only steal the data but also the keys used to secure it. Websites are able to fix the bug but must also update all their security keys.

Worryingly the bug, which was inadvertently introduced during an update in 2011, has also caused affected servers to leak private data. Security researchers have found that websites including Yahoo have been spilling out user credentials, although it isn't clear if criminals have been collecting the data.

Until the update is fixed on all websites affected experts have warned that there is no way to stay safe online.

"If you need strong anonymity or privacy on the Internet, you might want to stay away from the internet entirely for the next few days while things settle," warned the Tor anonymity network.

A website detailing the implications of the massive Heartbleed security flaw warns that "anyone on the internet" can read information transferred using the vulnerable OpenSSL software.

"This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," the website explains.

It is impossible to know if the security flaw has already been exploited as attacks of this kind leave no trace. The widely-used OpenSSL software is estimated to be used on about 500,000 of the web's secure servers.

Read more

News