Content Discovery Smackdown: Hootsuite vs. Buffer vs. KloutContent Marketing Minds: Ingredients of the Tastiest Content [Nutrition Label]From the Corn Field to the Digital Era: Content Marketing Starts with TrustContent Marketing: Is 2014 Really Shaping Up to Be the Year of Video?
Your Customers Aren’t Listening! How to Create Consumer Dialogue that Converts4 Tools for Nonprofit Social Listening and Reputation ManagementThe Promising Role of Social Listening in Treating Health IssuesThe Importance of Social Listening for Brands
- Public Relations
Facebook Testing a Way for Users to Buy Products on the Platform7 Website Tips to Attract More Shoppers to Your PagesHow eCommerce, Augmented and Virtual Reality Will Redefine the Retail ExperienceSearch Query Analysis to Increase eCommerce Website Conversions
- Content Marketing
Technology & Data
Social Startups: Bizible Connects All the Dots from Marketing Contributions to RevenueCreating the Perfect Profile for Your Social Media Marketing EffortUsing GPS and Localization for Social AnalyticsAnalytics and Prospect Intel: Discovering Your Ideal Prospect
- Big Data
- Tech & Innovation
3 Security Risks You’re Taking Every Day While Using Social MediaShould the President Have the Power to "Pull the Plug" on the Internet?How Safe is Your WordPress Website From Hackers and Other Malicious Attacks?
- Software & Tools
- Small Business
- Social Organization
Celebrating the Grand Re-Launch of Social Media Today! SBH Podcast Episode 8Why Should You Care If Your Employees Are Thought Leaders?Beyond Engagement: The Art of Managing Social-Media Risk in Employee Advocacy
Why All-in-One Social Media Management Systems Don't Cut It for Social Customer ServiceWhat You Should Know About Customer, Digital, and Contextual ExperienceSurging into Q3: How to Make It Better Than Q2Is How You Serve Your Customers Costing You Business?
Join us September 15th in Atlanta for The Employee Advocacy Summit and learn how to unleash the power of your employees.
Post your event here and we'll share it with our community. If one of our members is featured, we'll promote as well on their profile.
- Marketplace & Webinars
The SMT Marketplace
Your resource for exclusive content and insights from Social Media Today, and opportunities to reach our community of professionals.
The Social Business Book Club brings you books, discussions, and insights from today's to business thought leaders.
Join interactive talks and and panel discussions with leading thinkers and practitioners on social media and networked business, or browse the catalogue of recorded sessions - all completely free.
Reach Social Media Today's community of marketing and communications professionals in an editor-approved context with a native advertising package.
Meet Heartbleed: The Huge New Security Flaw for Secure Websites
Posted on April 15th 2014
Internet researchers have found a brand new, very serious vulnerability called the Heartbleed Bug, which makes it possible for hackers to steal encrypted information from secure websites that run certain versions of OpenSSL.
This bug allows attackers to access the memory of the websites running vulnerable versions of OpenSSL software, including the secret keys used to encrypt messages sent by those websites. This gives attackers the ability to decrypt and steal supposedly secure data captured during an encrypted web session.
A Quick Review of Secure Websites (HTTPS)
Online retailers and banks use HTTPS -- short for Hypertext Transfer Protocol Secure -- to secure messages sent and received by their websites. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website’s traffic is secured using HTTPS.
The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the website is authentic and that all data passed between you and the website remains private.
Secure websites rely on SSL -- and TLS, Transport Layer Security (a newer version of SSL) for creating encrypted sessions. TLS/SSL uses cryptographic keys contained in digital certificates to allow your browser to confirm that web servers are who they say they are. TLS/SSL then generates secret keys used to make sure the data exchanged between you and a secure website is kept private. A hacker that captures SSL/TLS-encrypted messages sees only gibberish – unless he has the secret keys used to encrypt those messages.
OpenSSL and Heartbleed
OpenSSL is an open source software package that many website developers use to perform TLS/SSL encryption. Unfortunately, due a small coding error, certain versions of OpenSSL allow any attacker to send a “heartbeat” message which retrieves small chunks of a vulnerable web server’s memory. By sending heartbeats repeatedly, the attacker can collect quite a bit of information from the server, including secret keys used by TLS/SSL.
This is a big deal, because if attackers can harvest those secret keys, they can use them to decrypt messages sent and received by that server, now or at any time in the past. By decrypting your messages, attackers can steal your website login information as well as other sensitive information like any credit card information exchanged with an online retailer website like Amazon.
In addition, this OpenSSL security flaw – dubbed “Heartbleed” -- also allows attackers to see how the website is identifying itself through digital certificates. With this stolen certificate information, cyber thieves can create fake websites that look authentic to both you and your browser.
And the worst part about it is that you would have no idea that an attack had taken place because the stolen website certificate appears to be authentic.
What You Can Do to Mitigate the Risks
Luckily, not all versions of OpenSSL contain this security flaw. There are newer versions out there that have fixed this bug, and discovery of this very high-profile bug will likely trigger a rapid wave of website updates to eliminate it.
But this security flaw has been there for two years, and many websites still use vulnerable versions of OpenSSL, If you have an account with an impacted website, you should immediately update your login/password information. These sites will not only have to upgrade to a newer version of OpenSSL, but also change out all of the digital certificates previously issued to their web servers.
Unfortunately, there’s also no way to know if hackers used stolen secret keys to decrypt any of your account information or messages, since they would leave no trace. It’s best to assume the worst and change your logins and passwords today – not just on vulnerable websites, but on every website where you use the same or similar login/password.