When you logon to a certain website for say, online transactions, you’d notice a little closed lock next to the address bar with “https:” instead of the usual “http:”, denoting a safe and secure environment. This security is provided by an encryption protocol called SSL/TLS, more specifically by OpenSSL, in most websites. Now, because of this bug, it turns out that upto 64 kilobytes of data can be accessed every ‘heartbeat’ (a periodic signal used to synchronize client and server interaction), and this flaw allows attackers to send back false server responses and basically harvest data. So basically, all of that encryption is not much use when it can be decrypted by using the now accessible private master key. Furthermore, any unencrypted data also leaks out, thus the name, ‘Heartbleed’.
Who is affected?
The most commonly used versions of OpenSSL, OpenSSL 1.0.1 until Open SSL 1.0.1f are vulnerable. It was fixed in OpenSSL 1.0.1g.
From a consumer point of view, any website that uses the vulnerable versions of OpenSSL are open to attack, and these websites can only protect themselves and their users by upgrading to the latest version that squashes the bug. However, in the two years that the flaw went undetected, tons of data has already gone back and forth, and there’s no saying how much of it has been compromised. Unfortunately, there’s no way to even know if a user has been exploited using this bug.
What can you do about it?
As of now, your best bet is to change all your credit card passwords and any other secure information on the internet. The fix is mostly from the service provider side, but this is a way of keeping yourself safe. If you’re really concerned, abstaining from online transactions and such for the next two weeks or so is perhaps a good idea. Until then, stay safe, stay alert!