The Heartbleed bug is a security flaw in OpenSSL, one of the most common data encryption standards. Hackers have had the ability to extract significant pieces of information including personal data and even credit card information for more than two years and this flaw has gone completely un-noticed.
The majority of websites that we use on a daily basis, including Facebook and Amazon use OpenSSL, in fact estimates suggest 66% of websites use technology built around SSL (from the 959million websites reviewed) and that doesn’t include email services, chat services and apps.
The issue affects web servers which can hold significant volumes of information about users including information that has been stored and uploaded to a website or social networking site. The flaws are so bad that even the encryption keys have been stolen which allow secure encrypted content to be read.
OpenSSL was notified of the flaws some 2 days before the story broke this week and so the vulnerability has now been closed, but what does this mean for website users and website owners?
Website Users As the flaw has been exploited for more than 2 years and has been untraceable, it is possible that your data has already been compromised, if so you may already be aware of it. The best advice is to go through all of the accounts that you use and change your passwords and if possible your user names. Many of the more popular sites like Facebook and Amazon have upgraded their software and so they should now be bug free, but lesser used sites may be slower to react so better to keep an eye on these.
Website Owners As the bug affects most websites using SSL (ecommerce sites, registration sites etc) it is important that your website host confirms that their servers are secure.
All Ascensor websites are hosted on dedicated servers in the UK and are completely secure. Within the first few hours of the disclosure we conducted a thorough audit of our systems. Our data centre, in the UK, have confirmed that none of the Ascensor servers were vulnerable.
We also operate a 24/7 managed service for our clients, continuously monitoring website and server performance.
If you are worried about website vulnerabilities then contact our team to discuss your security concerns.