A critical flaw that has been with us for some time and could be around for
months to come leaves much of the Internet vulnerable.
Called Heartbleed, the bug affects OpenSSL, a back-end encryption standard
that is used by as many as two-thirds of servers connected to the Internet,
including many owned by Yahoo.
It was discovered by a Google researcher and could theoretically allow
attackers to steal a server's private encryption keys and intercept traffic.
Although a patch already exists, The Verge reports that vulnerabilities could
persist for some time:
> For most privacy tools relying on OpenSSL, the takeaway is catastrophic. A
blog post from the Tor Project told users, "if you need strong anonymity or
privacy on the internet, you might want to stay away from the internet
entirely for the next few days while things settle." In many cases, a few days
may not be enough. It will give services time to patch their servers, but if
any private keys were compromised before the patch went up, it would give
attackers free rein in the months to come. Servers can reset their
certificates, but it's slow and expensive, and experts suspect many ...