When using websites like Google, Amazon, or Yahoo, you’ll often notice a small lock-icon next to the URL. This means that the website is using SSL encryption, a method which securely transfers your data. The mainstream application used in this encryption is called OpenSSL, and until recently, it was believed to be extremely secure.
The Heartbleed bug allows an attacker to gain access to a server’s memory – Where extremely sensitive information is stored – and read whatever is being held there. By repeating this process multiple times, an attacker can gain access to precious information like usernames and passwords. The terrible thing about this bug, however, is that it leaves no trace. A website could be attacked multiple times in the two years that this bug has existed, and no one would have a clue about it.
When the findings were published early Monday, OpenSSL was quick to create an update to patch this bug. To make a website completely invulnerable to an attack, however, website administrators have to upgrade their OpenSSL version, but must additionally revoke their SSL certificates and have new ones issued. Major websites like Facebook, Google, and Amazon claim to have already updated and fixed their SSL versions. Smaller stores may take longer to update, however, leaving themselves and their user’s information vulnerable.
It is strongly recommended that users change the passwords that they use on vulnerable websites, only after they are notified that it is safe to do so. If someone changes their password while a website is able to be attacked, the new credentials can be compromised without anyone knowing.