There is devistating security vulnerability that has been recently discovered, and I would like to dedicate this post to that subject.
What is it?..
The heartbleed virus is a virus that is capable of retrieving sensitive data from servers and websites that could severely impact users, companies, and developers alike.
We’re talking passwords, credit card numbers, and any information you may have submitted on any particular website. The Heartbleed Virus is said to be the biggest Internet security threat in recent history.
How does it work?
When you type a url (website address) into your browser, and you see a padlock icon to the left this typically means that any information you submit to that website should be encrypted and therefore secure and safe from hackers and prying eyes.
However, There is a subtle yet highly critical programming mistake recently discovered in the SSL/TLS protocol that allows hackers to manipulate the size of the payload in a heartbeat request.
A heartbeat request is sent from one computer to another. This request will contain a little bit of data which consists of some information like the payload size. An attacker can manipulate this request by altering the payload size in said request.
Say the payload size of the request is 1 byte. The attacker can intercept the request, and essentially lie to the server and say that the payload size of the heartbeat request is say 20,256 bytes.
This allows an attacker to see an additional 20,255 bytes of data that has been stored in the SSL certificate of that site. This data is more often than not extremely sensitive information.
This information could include above mentioned or even worse, could contain open SSL encryption keys which allows the attacker to view all sorts of past data as well as future data sent through your browser.
What Can We Do?
There is a safeguard built into SSL called perfect foreword secrecy. Not everyone enables this safeguard but if they do, they can mitigate the risk of passed traffic being modified using this option. For more information regarding perfect forward secrecy visit Heartbleed.com