Last week we learned that Yahoo fully encrypted traffic between its data centers. A good first step for the industry to follow, I thought.
But this week we learn it may be too little too late. According to The Guardian:
Hundreds of thousands of web and email servers worldwide have a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections, experts say.
They could also leak personal information to hackers when people carry out searches or log into email.
The bug, called “Heartbleed”, affects web servers running a package called OpenSSL.
The bug not only allows hackers to read your confidential stuff, it also gives them the keys the encryption used to store it. It gets worse.
The vulnerability was introduced in 2011, apparently by accident when the opensource code was updated, but the error was only spotted recently. That has raised fears that some attackers may already have been exploiting it to steal information. “Unfortunately it is not clear at the moment that there is any way to know whether this has already happened, since the vulnerability has been around for two years,” explains Matthew Bloch, the managing director of hosting company Bytemark.
It is the third serious bug in cryptographic connectivity discovered this year.
What’s a user to do? Keep calm? Stiff upper lip?
For users, the simplest thing to do may be to refrain from engaging in sensitive activities on the internet for a few days. Typical responses to security breaches, such as changing passwords may even serve to exacerbate the problem.
Do you need to ask? Here’s MORE.