Heartbleed: Serious OpenSSL zero day vulnerability revealed
Summary: A new OpenSSL vulnerability has shown up and some companies are annoyed that the bug was revealed before patches could be delivered for it.
By Steven J. Vaughan-Nichols April 7, 2014
New security holes are always showing up. The latest one, the so-called Heartbleed Bug in the OpenSSL cryptographic library, is an especially bad one.
While Heartbleed only effects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed. Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is serious.
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.
This bug [is] not a problem with OpenSSL's inherent design. It's an implementation problem. That is to say, it [is] the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a [re]pair of the 1.02-beta line.