SSL (Secure Sockets Layer) is the backbone of internet security. Whenever you’re on a web page and see the lock icon in the URL window, that’s SSL at work; your communication with that website is supposedly encrypted and secure. 2/3 of all sites on the web use SSL. Google, The New York Times, VISA your health insurer and your bank all use SSL
Over the weekend, a two year old flaw in a software library used by SSL was discovered. That flaw, nicknamed “heartbleed,” allows hackers to view your communication over a SSL connection, stealing your data, your usernames and passwords. What’s more, the flaw would allow stored data on servers to be decrypted and stolen, leaving no trace in the system logs.
It’s important to note that, at this time, it’s unclear as to whether hackers were ever aware of or exploited the heartbleed flaw.
A patch was released Monday night. We’ve checked in with the servers and systems used by Pixel Juice clients and can report that Google, Facebook, MIVA Merchant and WestHost have all applied the fix. As of yesterday, GoDaddy had not yet taken action.
It is strongly recommended that everyone begin updating passwords for all online accounts where sensitive information has been transmitted. Use strong passwords, mixing numbers, letters and symbols with a minimum of 15 characters. Consider programs such as 1PassWord and LastPass to generate and safely store complex passwords.
Developers wanting to test servers for the vulnerability can use this utility by Filippo Valsorda.