Heartbleed

This last week, the identification of a vulnerability called Heartbleed has taken the online security world by storm.

Heartbleed is a massive vulnerability in OpenSSL that has been undermining encrypted website traffic everywhere across the internet.

OpenSSL provides security when your web browser talks to a website. It does this by contacting the web site the normal way to set up a special "secure" transmission, and then sending the rest of the information over this secure channel.

Heartbleed takes advantage of an extension to OpenSSL called Heartbeats that is supposed to let your web browser ask the server if it's still there and communicating with the right computer by requesting a specific response from the server. The vulnerability, specifically, is a missing bounds check on the length of the response to the query, allowing the attacker to request more data than they should have access to.

xkcd provides a relatively good explanation as to what has gone wrong.

And here's the Wikipedia page for Heartbleed if you'd like more detailed technical info.

You may or may not know that UCRSI.org uses OpenSSL to encrypt its communications as well. However, UCRSI.org uses a version of OpenSSL that DOES NOT contain the Heartbleed Vulnerability. None of our traffic has been compromised, and our users' passwords and account information are safe.

As OpenSSL is the most commonly used web traffic encryption protocols, it may be useful to find out if any web services you use have been affected, and change your password on those. If you can't find out, I'd change your password anyway; changing your passwords over time is good security policy regardless. I know for a fact that tumblr and reddit were vulnerable. Google, Facebook, and Paypal claim their services were not affected.

Mobile devices may also commonly be affected. Be sure to keep all devices, including tablets, phones, and yes, laptops and desktops too, up to date.