Updated | A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue. “This is a good reminder that there are many risks online and it’s important to keep a watchful eye around what you’re doing, just as you would in the physical world,” said Zulfikar Ramzan, the chief technology officer of Elastica, a security company.
The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security…
“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”
Excerpt from Experts Find a Door Ajar in an Internet Security Method Thought Safe. I’d encourage you to read the rest when you have time.