Secure communications and reliable authentication are vital in a hyper-connected world. That’s why the Heartbleed security hole is a big deal. In case you haven’t heard about it, the short version of the story is that last week a security hole was discovered in OpenSSL software, a tool for managing encrypted communications between a web server and your browser. The Heartbleed bug allows a hacker to target the server and pull small random chunks of unencrypted data out of memory. If the hacker does this a lot — say 100,000 times or more, there’s a good chance they can grab passwords or read the private key of the server. Not good.
Estimates are that roughly 17 percent or of web servers use OpenSSL, so the bug was common, but not everywhere. Google and Yahoo had the bug, but Apple and Microsoft did not. Most banks were not affected either. For affected sites, the solution is to change your password — but after the hosting server has been patched. Fortunately many, but not all, affected servers have already applied the fix (click here for a list of affected sites). It should be pointed out that so far there is no indication of any user accounts actually being hacked, but the potential threat is serious. You can read this column by James Lynn at Forbes for more details on how to protect yourself.