Some websites running
SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday
The bug was reportedly discovered by a member of Google's security team and a software security firm called
Codenomicon. A number of other websites, according to
a list making the rounds on GitHub, may be vulnerable to the bug as well.
The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.
And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.
A
security patch for the bug was
announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are — in a somewhat tongue-in-cheek way — only advising that you
stay off the Internet this week if you really care about your security.
One of the messages on the Heartbleed homepage, a site created to address the bug, states:[/font][/size][size=1.5rem][The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.
So far, some of the services and websites that have confirmed an OpenSSL software security update include
WordPress,
Amazon Web Services,
Akamai and others.
On the GitHub list, some of the websites deemed "not vulnerable" to the Heartbleed bug include Google, FourSquare, Evernote and many others.
Another helpful site called the
Heartbleed Checker, launched by LastPass, allows you to enter the URL of any website to check its vulnerability to the bug.
3 things you can do to protect yourselfWait for an official announcement from any secure website or service that you normally use regarding a security update.
-After you've confirmed that the site or service has installed a security update, change your passwords
-For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity.
- In the meantime, while websites are installing the latest version of OpenSSL to fix the bug, it would be a good idea to wait for confirmed updates on your favorite websites and services and then change your password, just to be as safe as possible.
The Heartbleed Hit List: The Passwords You Need to Change Right Nowhttp://mashable.com/2014/04/09/heartbleed-bug-websites-affected/How to Protect Yourself From the Heartbleed Bughttp://mashable.com/2014/04/09/heartbleed-what-to-do/