Since news broke of the high-profile Heartbleed Web vulnerability, technical professionals have been hard at work both to patch the bug and to quantify exactly how dangerous it really is.
After Heartbleed was made public, many security firms scrambled to find out whether a “worst case scenario” was possible. This worse-case scenario essentially involves hackers being able to access private encryption keys as well as just small chunks of data.
Initial signs were good, with security specialists CloudFare announcing that had been unable to access these keys despite extensive testing. Unfortunately, CloudFlare quickly performed an about-turn on the issue and announced that they had, in fact, been able to access private SSL keys by exploiting the vulnerability. Gaining access to the keys required a cloud-sourced effort, but in the end took just nine hours.
Let’s consider the implications of this: There’s been some debate as to the best time to change passwords on sites that have been affected by Heartbleed. This is because if you change your credentials on a site that’s not yet been patched, you could reveal both your old and new passwords, and need to change them again after the necessary patching work has been completed.
If hackers can access private SSL keys AS WELL, changing passwords is basically futile as if the SSL keys remain current, hackers can revisit a compromised site and re-access personal details at any time in the future.
With this is mind, CloudFlare have now recommended that all sites affected by Heartbleed now revoke and reissue their SSL certificates. This will be time-consuming, disruptive and costly for many companies—but clearly no organisation wants to be the next to hit the headlines as one that’s experienced a real-life data breach related to Heartbleed.
You will find more information here.