Caution Advised as Heartbleed Poses Serious Security Threat
by Bitdefender Security Specialists, on 10 April 2014
A potentially damaging flaw has been discovered with the OpenSSL libraries that will likely trigger reactions ranging from mild concern to serious discussions in the security industry. At this point, it is impossible to measure the extent of the damage – or indeed if any damage at all was caused – but Bitdefender advises its customers to exercise caution.
The Heartbleed bug could give anyone who knew about it unfettered access to secure web sites across the internet that use certain versions of OpenSSL, which is used for SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. This means that an attacker could enter a secure site, steal sensitive information and leave without a trace.
The SSL and TLS protocols are used to secure e-mail, web applications, some VPNs, messaging services and more. This means thieves could have made off with encryption keys, private messages, passwords, confidential documents and virtually anything else that users thought was protected.
It is quite difficult to estimate how many people or web sites have been endangered by Heartbleed, but OpenSSL is the default encryption library of Apache and Nginx server software, which are used by 66 percent of the sites in the world, according to the Netcraft April 2014 Web Server Survey.
That doesn’t automatically place them all at risk. The bug is present in versions issued from December 2011 onward. OpenSSL advises in a note that “1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g.”
Bitdefender has already taken all the necessary measures and for security best practices we advise you the following: