08 Apr 2014
A weakness in the popular Open SSL cryptographic library allowed third parties to zoom in on encrypted communications, according to heartbleed.com.
Open SSL is used to encrypt Internet traffic, protect email servers, chat servers (XMPP protocol), virtual private networks (VPNs), network appliances and other software. CVE-2014-0160, the security vulnerability in the TLS/SSL data transmission protocol, exposed different types of private content including customer credentials, usernames, passwords, instant messages, emails and business communications.
The information travelling from server to client and back is normally protected by secret encryption keys. The bug, in use since OpenSSL 1.0.1 two years ago, left a significant number of private keys vulnerable.
“Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will,” the site’s FAQ says. “Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed.”
A fix, named OpenSSL 1.0.1g, has been released. Appliance, software and operating system vendors, including Debian Wheezy, Ubuntu, CentOS, FreeBSD, OpenBSD and OpenSUSE, are advised to implement it as soon as possible.