What You Need to Know About Heartbleed

You’ve heard about it. But what exactly is Heartbleed and what does it do?

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a “missing bounds” check in the handling of the Transport Layer Security (TLS) heartbeat extension.

As a result of this vulnerability, a fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. It has been estimated as of this month that approximately 17 percent of the Net’s secure web servers that were previously certified as “trusted” are actually vulnerable to attack.

What is at risk?

Theft of a server’s private keys and the end user’s session cookies and passwords are vulnerable. Some respected Internet reporting sources, including The Electronic Frontier Foundation, Ars Technica all have described the Heartbleed bug as “catastrophic.” Prominent cybersecurity columnist Joseph Steinberg wrote, “Some might argue that Heartbleed is the worst vulnerability found since commercial traffic began to flow on the Internet.”

What can you do?

It’s generally recommended that people should change passwords from the websites they use. Actually, many websites have corrected the bug and are advising what if any further actions should be taken. Enhanced privacy measures are also suggested.

If you are an enterprise user and are concerned about possible exposure with mission-critical systems, you should take action now, As an experienced Managed Services Provider, CRA can offer additional corrective actions for more potent security.  Please contact CRA at 212-376-4040 or services@consultcra.com to engage CRA.