Security researchers have discovered a serious vulnerability in OpenSSL, the cryptographic software library that protects many web sites on the internet. Here’s what that means for you, the average user.
There’s a lot of technical information and nuance here, but we’re going to try and make this as simple to understand as possible. If you’re more tech-savvy, I highly recommend reading the Heartbleed FAQ here, which provides more information on the problem.
The Verge has a very good explanation, so we’ll quote them:
“The bug allows an attacker to pull 64k at random from a given server’s working memory. It’s a bit like fishing — attackers don’t know what usable data will be in the haul — but since it can be performed over and over again, there’s the potential for a lot of sensitive data to be exposed. The server’s private encryption keys are a particular target, since they’re necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.”