Meet Heartbleed: The Huge New Security Flaw for Secure Websites


Internet researchers have found a brand new, very serious vulnerability called the Heartbleed Bug, which makes it possible for hackers to steal encrypted information from secure websites that run certain versions of OpenSSL.

This bug allows attackers to access the memory of the websites running vulnerable versions of OpenSSL software, including the secret keys used to encrypt messages sent by those websites. This gives attackers the ability to decrypt and steal supposedly secure data captured during an encrypted web session.

A Quick Review of Secure Websites (HTTPS)

Online retailers and banks use HTTPS — short for Hypertext Transfer Protocol Secure — to secure messages sent and received by their websites. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website’s traffic is secured using HTTPS.

The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the website is authentic and that all data passed between you and the website remains private.

Secure websites rely on SSL — and TLS, Transport Layer Security (a newer version of SSL) for creating encrypted sessions. TLS/SSL uses cryptographic keys contained in digital certificates to allow your browser to confirm that web servers are who they say they are. TLS/SSL then generates secret keys used to make sure the data exchanged between you and a secure website is kept private. A hacker that captures SSL/TLS-encrypted messages sees only gibberish – unless he has the secret keys used to encrypt those messages.

OpenSSL and Heartbleed

OpenSSL is an open source software package that many website developers use to perform TLS/SSL encryption. Unfortunately, due a small coding error, certain versions of OpenSSL allow any attacker to send a “heartbeat” message which retrieves small chunks of a vulnerable web server’s memory. By sending heartbeats repeatedly, the attacker can collect quite a bit of information from the server, including secret keys used by TLS/SSL.

This is a big deal, because if attackers can harvest those secret keys, they can use them to decrypt messages sent and received by that server, now or at any time in the past. By decrypting your messages, attackers can steal your website login information as well as other sensitive information like any credit card information exchanged with an online retailer website like Amazon.

In addition, this OpenSSL security flaw – dubbed “Heartbleed” — also allows attackers to see how the website is identifying itself through digital certificates. With this stolen certificate information, cyber thieves can create fake websites that look authentic to both you and your browser.

And the worst part about it is that you would have no idea that an attack had taken place because the stolen website certificate appears to be authentic.

What You Can Do to Mitigate the Risks

Luckily, not all versions of OpenSSL contain this security flaw. There are newer versions out there that have fixed this bug, and discovery of this very high-profile bug will likely trigger a rapid wave of website updates to eliminate it.

But this security flaw has been there for two years, and many websites still use vulnerable versions of OpenSSL, including (as of publication):

  • Yahoo
  • Slate
  • Flickr
  • Ok Cupid
  • Imgur
  • Hide My Ass

If you have an account with any of these websites, you should immediately update your login/password information. These sites will not only have to upgrade to a newer version of OpenSSL, but also change out all of the digital certificates previously issued to their web servers.

Unfortunately, there’s also no way to know if hackers used stolen secret keys to decrypt any of your account information or messages, since they would leave no trace. It’s best to assume the worst and change your logins and passwords today – not just on vulnerable websites, but on every website where you use the same or similar login/password.


Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Jared Howe

Jared Howe is PRIVATE WiFi’s Senior Manager, Product Marketing Communications. Working in high tech for over 15 years, Jared currently lives in Seattle with his wife, daughter, and their two cats.

2 Responses

  1. Helen Vargas says:

    My hope in crypto is renewed after a recovery expert I hired when a sim-swap hack was carried out on my device leaving my crypto account vulnerable. My wallet was accessed and coins moved outside to an external wallet. JimfundsrecoveryAt ConsultantD0t C0m simply pursued my case with a local police report I made/ some required info and was able to recover 95% for me in a 2 weeks long recovery process.  

  2. Dalia Russo says:

    After giving up 0n my hacked crypto account over 1 month ago, I came across Jimfundsrecovery AT consultant com recommendation about crypto wallet recovery on a blog, I slide in and file a complaint to them about how my account was hacked by fake investment platform, I sent my hacked wallet address to them as requested. Well, let me cut this short. Within a few days of sending the required info, I gained access to my account with my coins intact…

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.