As we all know by now, this is mega-serious and affects all users of Open SSL 1.0.1 through 1.01.f – so those who kept their Open SSL code up to date were in effect penalized.
For information on the vulnerability, see kb.cert.org
I’m just trying to understand why all the news reports are focused on individual communications with websites. SSL protocols, including Open SSL, are used in most ‘trusted’ machine to machine communications. This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications.
See list of affected companies here kb.cert.com
What this means is any trusted communications traffic using this protocol is ultimately not trustworthy – it goes way beyond individuals’ ‘handshakes’ and communications with websites. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in. So criminals and other naysayers can essentially eavesdrop on any sensitive communications using Open SSL 1.0.1 such as payment processing, file sharing and more, (although as my colleague Erik Heidt pointed out – this would require a compound attack since Heartbleed enables an attacker to recover anything being processed in memory on the server – rather than a direct attack against in-transit communications).
We’ve all been acclimated to the fact that our sensitive data is no longer well protected while it is at rest. We’ve also learned over the years that retailers, financial services companies, ecommerce providers and others who accept our sensitive transactions can’t always stay ahead of criminal exploits that steal the information.
Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks. Until now that was the one area that looked relatively safe, at least to me.