What You Need to Know about the HeartBleed Security Breach In what may be the most serious breach of internet security in recent memory, researchers at Codenomicon discovered an exploitation of OpenSSL servers that exposes sensitive data stored in the server memory. With the two most popular web servers, Apache and nginx, affected, around 67% of the web is possibly susceptible to malicious attack or data theft. Other internet software that runs on SSL/TLS, such as email clients and chat programs, are also affected. This bug has the internet security community in an uproar because it exposes some of the most sensitive information that we trust websites, software and services to protect: encryption keys, usernames, passwords, credit card information, business critical documents, emails, messages; basically any information you've given to a compromised website is up for grabs. If you use the web, the chances you've interacted with an afflicted website are almost 100%. What's even scarier? This bug has been around for about 2 years and anyone with basic programming skills can take advantage of the exploit! Who The HeartBleed SSL Security Flaw Affects As stated above, any websites, software or services that use SSL/TLS to encrpyt or secure information are exposed. Additionally, anyone that has used these sites or services has potentially had their information stolen (read: everyone that uses the internet). A more useful exercise is would be to delineate who/what is NOT affected by HeartBleed. OpenSSH is not affected by this bug because the TSL protocol, or the heartbeat extension used in HeartBleed attacks. 99.999% of Microsoft web servers (.NET) are also unaffected by this security breach. Clarity has long used a Microsoft framework for our ecommerce platform and web services due to the Microsoft's strict adherence to server security policies, and fortunately for us and our clients this has paid off. Furthermore, only servers actually running the hearbeat extension for OpenSSL are vulnerable. Currently, Netcraft puts the amount of sites using the heartbeat extension at 17.5% of SSL sites. Nonetheless, major websites such as Yahoo and SteamCommunity have been affected. How Heartbleed Exposes Your Sensitive Information If a hacker gains access to encryption keys, they can read any information received by the server and even impersonate the server so as to intercept sensitive information. A 'heartbeat' is a process SSL uses to allow two computers to verify their connected counterparts are still online and responding. The researchers have found that it is possible for hackers to maliciously impersonate a heartbeat message so as to trick a computer into divulging secret information. In this way, a computer can be fooled into transferring RAM content, or server memory where the keys to sensitive information may be stored. Here's a more in-depth explanation of the issue from cyber security expert Zulfikar Ramzan, MIT Ph.D. How You Can Protect Yourself and Your Website in 3 Easy Steps It is advised that companies using OpenSSL to immediately download the latest version of the protocol (1.0.1g), which includes a fix. Swap out their encryption keys as soon as possible; there is no way of knowing whether or not your encryption have been compromised during this two year vulnerability period. It also highly recommended for companies to advise users of their services or products to change passwords as soon as possible. For more information and a free tool for testing your website, click on the buttons to the left. You can also contact Clarity for a free security consultation if you're thinking about making changes to or developing an entirely online application.