Since a fix was released yesterday, a bug has been crawling around the internet for a staggering two years. Introduced to glom on to the system known as OpenSSL back in December of 2011 and in the wild since Open SSL v1.0.1, this bug has been on the web since the 14th of March, 2012. But why was it only made apparent this week, and what can you do?
The good news is that there’s a patch for this bug already released - the bad news is that an unknown amount of individuals could already have been targeted by hackers taking advantage of the bug. The other bad news is that there’s a growing list of websites that still have the non-patched SSL version 1.0.1 software running on their network.
Which sites have been affected?
A community-created Github file shows the top 1000 sites in the world (thanks for the tip, Frank!), identifying which sites work with the version of SSL that’s still venerable to the bug. Included in this list are sites like Flickr, Archive.org, Yahoo.com (and Yahoo Mail), Imgur, OKCupid, XDA-Developers, Steam (SteamCommunity.com), Eventbrite, 500px, and Slate - and a whole lot more.
Sites such as Google, Facebook, YouTube, and Wikipedia do not appear vulnerable at this time. According to OpenSSL officials, both 1.0.1 and 1.0.2-beta releases of OpenSSL are affected, this including releases 1.0.1f and 1.0.2-beta1.
The fellow who discovered this bug is Neel Mehta of Google Security, while coders Adam Langley and Bodo Moeller of Chromium and ACM prepared the fix included in OpenSSL 1.0.1g. Groups using OpenSSL 1.0.2 will still be affected by the bug until the release of version 1.0.2-beta2.
What does the bug do?
To be abundantly clear: this bug has only just been discovered after two full years out in the wild. There’s no knowing the full extent of the damage that’s already been done.
OpenSSL is a cryptographic software - this means that OpenSSL is software being used to protect other software from the public and from malicious attacks. The Heartbleed Bug, as it’s been named, is able to collect 64 kilobytes (64kb) of data at a time, running this vulnerability as many times as they want until they have the data they desire.
How important is this bug? As @KrisJelbring on Twitter (developer Kristoffer Jelbring of Mojang) notes, the appearance of Heartbleed has forced them to drop all support for the legacy Minecraft launcher. Mojang has done this because, as it stands, there’s no way for them to ensure secure logins. Until Amazon’s load balancing service is updated, Mojang will be suspending all of their services.
UPDATE: Amazon servers utilized by Mojang have been updated at this point and all Minecraft servers are now back online.
Mojang made clear, too, that while this bug never allowed hackers to target specific users, there’s no way to guarantee that any one users information wasn’t compromised.
What can you do?
You can avoid the sites listed above - or check your favorite sites at Filippo's Heartbleed checker - until they send out notifications that they’ve patched their servers with the newest version of OpenSSL. We’ll be updating this post as major sites let it be known that they’ve loaded the newest version of the software as they do so.
Otherwise - prepare to change your passwords. For sites that are still being affected, we recommend holding off password changes until the patch is in place since these sites are just as vulnerable today as they were when they first loaded Open SSL v1.0.1.