The heart of tech

This article was published on April 8, 2014


    OpenSSL has a critical security vulnerability that needs to be patched right away

    OpenSSL has a critical security vulnerability that needs to be patched right away Image by: JOHANNES EISELE
    Josh Ong
    Story by

    Josh Ong

    Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him a Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him at [email protected].

    The OpenSSL project has just disclosed a devastating security flaw in the protocol that could expose the cryptographic keys and private communications from some of the most important sites and services on the Internet. If you’re running a server with OpenSSL 1.0.1 through 1.0.1f, it’s vital that you update to OpenSSL 1.0.1g immediately.

    Installations of OpenSSL prior to version 1.0.1 are unaffected by the bug, but OpenSSL 1.0.2-beta users will need to address it.

    Heartbleed.com has a detailed explanation of the issue, which is related to the “heartbeat” section of OpenSSL’s transport layer security (TSL) protocols and has been in the wild since March 2012. This is even more dangerous than Apple’s recent SSL bug, which opened up the possibility for man-in-the-middle attacks, because the Heartbleed bug affects past traffic, reveals encryption keys that could lead to other compromises, and may affect as much as 66 percent of Internet sites.

    The bug was independently discovered by security firm Codenomicon and a Google Security engineer.

    Prior to the publication of the vulnerability, a number of OpenSSL vendors were notified privately in order to give them time to address the issue before it became known. However, not everyone was ready before news of the flaw leaked out, so some vendors will need a few hours to prepare the patch.

    OpenSSL Security Advisory | Heartbleed.com

    Image Credit: JOHANNES EISELE/AFP/Getty Images