by Kazeem Olalekan

heartbleed

My heart bleeds not because I am an independent prescriber in Cardiology. This is not because I hope to develop a specialisation in paediatric cardiology. It is however because the two things I have commented upon lately have come together so devastatingly. I talked about how it is best practice to encrypt website using the Secure Hypertext Transfer protocol. I also recently described the open source philosophy. It is now clear that a security bug has existed in the OpenSSL implementation of SSL for the past 2 years leading to the potential compromise of your and my valuable encrypted data. The bug, otherwise known as the heartbleed bug, makes it possible for attackers to access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server’s private master key, which enables attackers to decrypt current or stored traffic via passive man-in-the-middle attack (if perfect forward secrecy is not used by the server and client), or active man-in-the-middle if perfect forward secrecy is used. The vulnerability might also reveal unencrypted parts of other users’ sensitive requests and responses, including any form post data in users’ requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.

As I have said recently, adopting best practice does not stop someone so determined from breaking down your door. This is clearly a front door attack; using my previous analogy. To mitigate this, users are advised to change their online login credentials. I will be changing all my online logins (especially Yahoo & Facebook & LinkedIn) and implementing the Google Two-step verification for all my Google accounts.

You can also test your server for heartbleed vulnerability here.

Just as a test, I checked on a project I implemented lately and as I guessed, all is well. Customers need not worry.