‘Heartbleed’ – a major vulnerability in common encryption software is affecting many websites and online services: SSO Alert Priority High
9 April 2014
Researchers have discovered a long standing vulnerability in the way most websites and many other online services such as email and VPNs, encrypt and secure your communication (OpenSSL).
The OpenSSL vulnerability is reported to have been around since 2011. Following recent publicity, there is growing evidence that websites are being targeted using this vulnerability.
Around two-thirds of websites and many other services currently use affected versions of OpenSSL (which stands for Open Secure Socket Layer, the most common cryptographic software used on most web servers). You would recognise websites using OpenSSL by the small padlock icon in the browser address bar or the ‘s’ added to the ‘http’ prefix for web addresses.
An attacker could use this vulnerability (also referred to as ‘Heartbleed’) to read the memory of systems protected by OpenSSL, which exposes the secret keys used to encrypt traffic, names and passwords, and even content.
It means a hacker can eavesdrop on your communications with a website or service, steal data directly from a website or user, or impersonate a website or user.
There are a large number of affected websites and other services, including, for example, Yahoo (now fixed). Most reputable organisations should already be updating their OpenSSL and renewing certificates to address the issue, however, with so many sites potentially affected, some may not be updated as quickly.
More information is likely to emerge about this issue in coming days.
What can you do?
Each website or service will first need to be fixed by its administrator.
You can also contact any website or service provider you use and ask them if the issue has been addressed.
Once this is done, you should also consider changing your password for any accounts you have on affected sites—particularly if they relate to sensitive, personal or financial information.
Affected websites may begin notifying users to change passwords if they consider it important, but unfortunately, there is no guarantee websites will do this.
If you are a business who operates a website, you should be taking steps to address this issue.
Heartbleed.com explains the technical detail of the issue.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.