The Internet Had an Unfixed Security Hole for 2 Full Years

April 7, 2014 • Security

It’s time to update all your passwords. Seriously.

To ensure that your data being sent across networks is safe, modern devices use a technology called SSL encryption. One example of how SSL encryption is used is with web sites, which is represented by the padlock icon in your web browsers or URLs beginning with HTTPS, when it’s being used. However, SSL encryption is used for all types of data and communications; from web sites and instant messengers to financial, health and government services.

This afternoon, OpenSSL had been discovered to have a major security flaw, also known as a bug, that could allow someone to steal the secret keys used for SSL’s padlock encryption. The secret keys enabled unlocking/decrypting user names, passwords, credit card information, instant messages, emails, files, and virtually any other piece of data, all while leaving zero trace of the would-be attackers. The most alarming lesson here is that the security hole had been present for over 2 years.

The default security rule for I.T. networks is security by obscurity; or in other words, professional hide and seek. When connected to the Internet, all devices are under covert attacks, most of which are mitigated through obscurity. Before connecting to the Internet with your devices and subjecting your sensitive data to countless risks, it would be wise to design a plan to reduce those risks. The most essential part of that plan should be using good password practices, such as using strong passwords you change regularly.

Moments like this in history show us how critical security flaws in our society’s technologies often go unresolved for unreasonably long periods. It shows us that it pays to be proactive in managing one’s own security, because it is a moving target that even the experts can overlook from time to time.

After updating your passwords, if you run your own networks, you’ll want to update your OpenSSL services and certificates as well.

The bug was discovered and reported to the OpenSSL team by Neel Mehta of Google’s security team. OpenSSL released an emergency patch for the bug along with a Security Advisory with further details.