Heartbleed Removal Guide

Do you know what Heartbleed is?

Heartbleed is a security bug which allows anyone to read data protected by the OpenSSL software. OpenSSL is used by numerous Internet hosting services, including e-mail hosting services, game services, and online forum services. With the help of Heartbleed, cyber criminals can compromise large numbers of online accounts by obtaining usernames, passwords, and secret encryption keys. The bug is used to obtain information on how credential information is encrypted and to impersonate services and users. Hearbleed allows attackers to retrieve private information without user interaction.

The Heartbleed vulnerability has proven to be present due to the Heartbeat extension of OpenSSL. The extension was introduced in 2011. The vulnerability is present on all OpenSSL implementations that use Hearbeat. According to an announcement released on April 13th, 2004, 6.2 % of websites using HTTPS are vulnerable; 31% safely support the extension, whereas 63% do not support the Heartbeat extension and are safe. According to the latest research, approximately 1.4 million web servers are still vulnerable.

Heartbleed affected OpenSSL versions form 1.0.1 to 1.0.1f and 1.02-beta. The latter version has not been patched yet.

A lot of websites and services are protected by OpenSSL, which is the most popular open source cryptographic library, and as long as it is not updated, there is a great risk of data leaks. Vulnerable OpenSSL may be used by government, software distribution websites, commercial websites, hobby sites, social websites, and other website where your login information is necessary.

It is highly advisable to change passwords on various websites in order to avoid the payload of the Heartbleed bug.

In April 7, 2004, a fixed version of OpenSSL was released. Service providers should install the fix and inform computer users about the issue. The official reference to Heartbleed is CVE-2014-0160, where CVE stands for Common Vulnerabilities and Exposures.

It is argued that the U.S. National Security Agency knew about the vulnerability for at least two years until it was disclosed by a public report. However, the claim is still debatable.

In non-techie terms:

The OpenSSL cryptographic library contains the Heartbleed vulnerability which enables cyber criminals to disclose sensitive information and exploit it for various purposes. It is a programming error, which can be fixed by the Heartbleed patch.