Zero-Day SSL Flaw: Change All Passwords, Experts Say
A massive number of websites could be affected by a critical security flaw used in conjunction with web sites and web browsers. Experts suggest that all web users change their passwords to all major web sites (including banking, social media, etc) - but doing so comes with a number of caveats.
The security flaw is related to SSL (secure sockets layer) and is expected to affect approximately six percent of all websites world-wide. According to a recent survey that reviewed approximately 959 million websites, "66% ... are powered by technology built around SSL, and that doesn't include email services, chat services, and a wide variety of apps available on every platform." (Source: businessinsider.com)
In many cases, SSL is used to encrypt data between a web browser and web server. If anyone intercepts the encrypted data during its journey over the Internet, they'll be unable to make sense of it unless they can crack the encryption, which is extremely difficult, if not verging on impossible.
Websites need to use software to create and control the SSL encryption. The flaw in particular affects software called OpenSSL, which is one of the most commonly used of its type.
Bogus "Heartbeat" Exposes SSL Data Secrets
The problem involves a feature known as a heartbeat. This is where a user's computer sends a small piece of data to check the secure connection is still active. It's the same effect as asking "Are you still there?" during a phone conversation. (Source: businessinsider.com)
Security researchers have discovered that for the past two years there has been a flaw in OpenSSL that allows a hacker to send a bogus "heartbeat" message to a website. This then forces the server hosting the website to send back some of the data in its memory.
Exactly what's in this data will vary from case to case, but it could include user names, passwords and even credit card numbers used by recent visitors to the website. In a worst case scenario, it could even include the encryption key for the website, allowing the hacker to descramble any information that goes to and from the site.
One test suggests that around five to six percent of the most popular websites are affected by the flaw which, based on the "heartbeat" messaging, has been dubbed "heartbleed." It's not yet know if, or how often, and hackers have exploited the flaw.
Experts Advise Changing Key Passwords, with Caveats
It's an unusual security issue as there's nothing web users can do to their own computer or software to deal with the flaw. Instead, it's up to website operators to apply an update to the OpenSSL software to fix the flaw.
In the meantime, computer experts are divided about the best way for web users to respond. Some have suggested users should immediately change all the passwords they use on sites that involve data they would want to keep confidential, such as financial or social networking sites.
Others have suggested that users should hold off visiting a site to change the password until they hear the site has applied any necessary fix. That said, not all websites will make such a report; as such, changing all your passwords even a week from now could be a craps shoot.
At the time of writing, Facebook, Google and Twitter are all reported to be safe, while Yahoo is working to fix the issue. (Source: washingtonpost.com)
What's Your Opinion?
Are you concerned by the security implications presented in this article? If so, do you plan on changing all your passwords online the Internet? Have you heard or seen any information from websites you commonly visit telling you about the problem and whether it has been fixed?
Infopackets Top Windows 10 FAQs
How to Upgrade from Windows 10 32-bit to 64-bit
How to Fix: Windows 10 Antivirus Missing, Not Compatible
How to Fix: Windows 10 Display Shifted; Screen Fuzzy
How to Upgrade Windows 7, 8 32-bit to Windows 10 64-bit
to Downgrade from Windows 10
- How to Fix: Windows 10 Upgrade Failed Error C1900208
- How to Fix: Windows 10 Upgrade Failed Error 80240020
- Can I Cancel my Windows 10 Reservation and Reserve Later?
- How to Clean Install Windows 10 using Windows 7, 8 License
- Will Windows 10 Install Automatically?
- Windows 10 Upgrade: Do I have to Reinstall Programs?
- Windows 10 Upgrade: Can I choose 32-bit or 64-bit?
- Which Version of Windows 10 Will I Get (Home or Pro)?
- How to Reserve Windows 10 Upgrade (Free)
- How to Fix: CPU Not Compatible with Windows 10 Error
- Windows 10 Upgrade: Can I keep my Old Windows Install?
- How to Cancel Windows 10 Reservation (Properly)
- Download Windows 10 .ISO (DVD) for Clean Install?
- Microsoft: Windows 10 Will Be The Last Version
- Does Windows 10 require the CPU to support PAE?
- Windows 10: Can I Upgrade or do I need a Clean Install?
Click here for more Windows 10 articles.