Software Bug Leaves Thousands of Secure Websites Vulnerable to Hackers
Published on: 9th Apr 2014
By: Ian Mansfield
A software bug may have affected millions of websites that offer secure connections for users to protect private information.
Called OpenSSL, the software provided the encryption layer used by websites that needed to protect information being entered into web browsers from being monitored by hackers. Such services could have included banks, private messaging services and emails containing sensitive information.
It's not clear how widespread the vulnerability is, as the attack, which was exposed yesterday leaves no visible trace.
It could be that no one is using the exploit, or that it has been in widespread use for months. No one knows.
The OpenSSL software is widely used in the Apache and Nginx webservers, which are the most widely used webserver platforms around. It's estimated that around half a million secure websites use those two webserver platforms.
"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.
IT companies are racing to fix the bug, and some have shut-down secure services until their staff can apply the necessary patches.
The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.
The bug has been present in versions of OpenSSL that have been released over the past two years. The latest version of OpenSSL released on 7 April is no longer vulnerable to the bug.
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," wrote the researchers.