A serious security vulnerability, baptized “Heartbleed,” has recently been reported in OpenSSL software, a widely used communications security product. OpenSSL sets up a secure connection between a computer and an application (e.g., the Web), by encrypting the information exchanged to protect personal and confidential data. For example, on a secure website connection, a small lock appears and the sites address begins by https://, guaranteeing secure communication.

The software vulnerability could allow computer hackers to steal sensitive information such as passwords, credit card numbers, and the keys used to unlock encrypted data. The bug has forced several Canadian government sites that may use a vulnerable version of the OpenSSL software to suspend access to them and their Web services.

Luckily, not all websites or applications use a vulnerable version of OpenSSL and a fix is now available to correct the flaw. However, it is difficult to assess how serious the damage is, because attacks leave no trace.

Users must therefore be doubly vigilant, because malicious people can use this widely reported vulnerability to go on phishing expeditions. This is done by sending fake emails that ask people to change their passwords through false Web links in order to steal personal information.

This situation should also be a wake-up call to users about the potential impact of using the same password for different services (such as e-mail, social networks, online banking) if that password is compromised.

For more details, consult the following: https://heartbleed.com/

Patrick Paradis, Information Security Consultant