Heartbleed is a security hole in OpenSSL that was discovered by the Finnish security firm Codenomicon and publicized on April 7, 2014. OpenSSL is the encryption technology used to create secure website connections over HTTPS, establish VPNs, and encrypt several other protocols. Since OpenSSL is used by roughly two-thirds of web servers, the vulnerability is considered one of the most significant security holes discovered since the beginning of the web.
How does Heartbleed work?
The Heartbleed exploit takes advantage of the initial communication between the client and server. This preliminary step is commonly called a "handshake," though OpenSSL provides a variation called a "heartbeat." The heartbeat is used to establish a secure connection, but the data transmitted during the heartbeat is not sent securely.
By sending false information to a server, a hacker can retrieve 64 kilobyte chunks of data from the server's cache. While this is a small amount of data, it is enough to contain a username, password, or other confidential information. By making several requests in a row, a hacker can potentially capture large amounts of private data cached in a server's memory.
The Heartbleed bug is specific to OpenSSL 1.0.1 through 1.0.1f and version 1.0.2-beta1. Other versions of OpenSSL and other types of TLS (transport layer security) implementations are not affected. After the bug was made known on April 7, many web servers were patched immediately with version 1.0.1g. However, it is unknown how many servers were affected and how many still are using the vulnerable version of OpenSSL.
How does Heartbleed affect me?
It is unlikely that you are directly affected by the Heartbleed bug. While the security hole went undetected for two years, there is little evidence that the exploit has been widely used. Still, to be safe, you can protect yourself by updating your passwords for website logins, email accounts, and other online services.
Updated: April 11, 2014