The Internet is all abuzz with news of the Heartbleed bug which was discovered in the popular OpenSSL encryption library. For those who haven’t heard, the OpenSSL library had a bug in it which means that a cyber-criminal or a government agency can decrypt all the traffic which was flowing over a supposedly secure connection. Most of us use secure connections when we sign in to Gmail or Google Play etc and send our email address and password to Google for verification. A secure connection is used so that an eavesdropper can’t read our passwords. This isn’t only true of Google services, but all the major services use HTTPS when we sign in or when you perform an online financial transaction.
Google has announced that it has updated the OpenSSL library on its servers (and we presume revoked the certificate keys) for Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. The search giant says that Google Chrome and Chrome OS are not affected.
Heartbleed is particularly severe because the bug has been in the OpenSSL library for two years and if a government agency did discover the bug (and didn’t tell anyone) then all past and future traffic to an exploited website is open for decryption. The reason is that the actual private keys which are associated with a site’s SSL certificate can be read. Once the keys have been read then all traffic to and from the site can be decrypted even traffic that was captured previously and stored away in a deep government archive.
Tumblr has suggested that today might be a good day to “call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking.” The problem with Tumblr’s advice is that until the major services actually give the all clear, like Google has, then changing your password won’t be of any value as your new password can be just as quickly compromised. Only once a service has updated to the latest version of OpenSSL and revoked its certificates can users safely change their passwords!
A few of Google’s services are still being updated most notable Cloud SQL, which Google says is being patched right now, and Google Compute Engine. In the case of the latter Google says that its customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL.
The ironic thing is that Neel Mehta of Google was actually credited with finding the bug.
Google also reported that Android isn’t affected by the bug with the exception of Android 4.1.1. The bug is called Heartbleed as the error is related to the TLS heartbeat extension. Android 4.1.2 disabled the use of the heartbeat functionality for better wpa_supplicant interoperability.
The ironic thing is that Neel Mehta of Google was actually credited with finding the bug, so you would have thought that Google had a head start on fixing the issue and its services should have already been secure before the news hit the net. Maybe Google has become too much of a corporate for that to have happened!