Heartbleed is a very serious security threat that has very recently hit the Internet. A flaw uncovered in the popular encryption system OpenSSL puts sensitive data at risk. The open source version of SSL is common on Linux based servers and software running anything from WordPress pages to large portals storing millions of personal records.
The scale of the threat is not immediately clear. Numerous popular sites and services appear to have been exposed to this bug, with many taking quick action to install fixes to patch the problem. These include Gmail, Facebook and Yahoo.
However the affect and danger from this bug extends beyond these popular sites. This is because many people tend to use credentials (username & password) across multiple services. In this way, a compromised account on a vulnerable service can be stolen and used to penetrate other accounts on other services. This causes a waterfall effect that will take some time to be fully assessed.
Here is a quick list of known affected services:
"We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to ... set up a unique password."
“We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.
Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.
"As soon as we became aware of the issue, we began working to fix it... and we are working to implement the fix across the rest of our sites right now." Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.
“We have assessed the SSL vulnerability and applied patches to key Google services.”
Go Daddy: Affected
"We’ve been updating GoDaddy services that use the affected OpenSSL version."
OpenSSL is used across a whole range of Internet services including email, websites, ecommerce transactions and social media. Google, Yahoo, Facebook and other such popular services have issued their own recommendations to their customers.
These can be summerised into:
+ Change your password now
+ Avoid using the same credentials on multiple sites
+ Watch out for any suspicious activity on your account
The Good News
Whilst OpenSSL is hugely popular, other commercial SSL systems are not affected. These include Microsoft, Amazon, LinkedIn and Apple. These companies (and their services) do not appear be affected since they never made use of the defective software.
Here is a quick list of unaffected services:
LinkedIn: Not affected
"We didn't use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties."
Twitter: Not affected
We were able to determine that [our] servers were not affected by this vulnerability. We are continuing to monitor the situation."
Apple: Not affected
"iOS and OS X never incorporated the vulnerable software and key web-based services were not affected."
Amazon: Not affected
"Amazon.com is not affected."
Microsoft: Not affected
Microsoft services were not running OpenSSL.
Webcraft services are not affected by this threat since none of our systems make use of OpenSSL. Even so we continue to monitor this issue and will take any precautions to keep the data and services of our customers safe.
We would still like to take this opportunity to encourage our customers to adopt a robust password policy such as avoiding using a single password across multiple (unsafe) services.