Portfolio

Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords

Heartbleed bug

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

Heartbleed is one of the biggest and widespread vulnerabilities in the history of the modern web. The problem stemmed from an errant line of code in the open-source project OpenSSL. About 66% of web servers rely on OpenSSL to encrypt data and keep things secure.

The bug in OpenSSL meant that the secret-encryption keys — which are what ensures that your passwords and other data are securely transmitted — could be stolen from a web server without anyone knowing. The bug existed in OpenSSL for more than two years before being publicly patched and announced.

The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.

And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.