Secured Sockets Layer, a.k.a. Open SSL, Heartbleed bug

A protocol that delivers server authentication, data encryption, and message integrity. SSL is layered beneath application protocols, such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP, and layered above the connection protocol TCP/IP.

This strategy allows SSL to operate without depending on the Internet application protocols. With SSL implemented on both the client and server, your Internet communications are transmitted in encrypted form. Information you send can be trusted to arrive privately and unaltered to the server you specify (and no other). In short, it is a form of channel encryption.

OpenSSL refers to an open-source implementation of the SSL and TLS (Transport Layer Security) protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions.

Historical perspective: The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit. However, on April 11, 2014 the Internet-connected world was introduced to a new bug, colorfully named Heartbleed, that exposed about two-thirds of web servers — and probably about a quarter of all sites — to potential pilfering of sensitive, supposedly encrypted information: passwords, credit card numbers, etc. Google engineers discovered the bug in the OpenSSL encryption software, then quietly notified OpenSSL, which started secretly helping companies patch the bug before going public amid fears that hackers had discovered the hole, too. According to Peter Weber as seen in The Week, the Heartbleed bug is a real threat.

How big of a deal is Heartbleed? "It's easily the worst vulnerability since mass-adoption of the internet," Matthew Prince, CEO of cybersecurity firm CloudFlare Inc., tells The Wall Street Journal. "It's going to be really bad." How bad? "We don't know to what extent this flaw has been targeted by hackers, we are in the dark here about the extent of how it is been used," David Emm, senior security researcher at Kaspersky Lab, tells CNBC. "We can't quantify the scale of the damage."

So, what can you do about it? Unless you're an IT person at a bank or social media service or other websites that relies on OpenSSL encryption, not a whole lot. Those companies have to update their encryption — a process that involves more than just affixing the OpenSSL patch. Once a vulnerable site is secure again, you should change your password. Seriously, change it. If a site hasn't fixed the encryption problem, changing your password is useless, or worse. How can you tell? CNET has a list of popular sites and their Heartbleed status, the link is below.

See also : secure server  open source  OSI  bug  virus  
NetLingo Classification: Net Technology