Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.
A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”. Forbes cybersecurity columnist Joseph Steinberg described the bug as potentially “the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet”.
How it affects you?
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
Websites Affected
The following sites have services affected or made announcements recommending that users update passwords in response to the bug: Akamai Technologies, Amazon Web Services, Ars Technica, Bitbucket, BrandVerity, Freenode, GitHub, IFTTT, Internet Archive, Mojang , Mumsnet, PeerJ, Prezi, Something Awful, SoundCloud, SourceForge, SparkFun, Stripe , Tumblr, Wattpad, Wikimedia (including Wikipedia), , Wunderlist
Next Read: How to counter the Threat posed by Heartbleed bug?