Two days ago, CVE-2014-0160 was reported to the world. This is a bug in the OpenSSL encryption library, allowing a malicious user to read memory and compromise the entire TLS encryption standard. Any web server using OpenSSL, including servers running on two of the most popular web platforms, Apache and Nginix, may have their private keys and server memory disclosed.
This means your username, password, and any other information passed between you and the server IS VULNERABLE. This bug includes Facebook, Google, and other major providers.
Here's what you (non-server users) need to do:
- Test every site you use with this tool: http://filippo.io/Heartbleed
- If it's safe, change your password!
- If not, assume anything you've done and anything you will do on that site is compromised until they fix it. DO NOT CHANGE YOUR PASSWORD ON THESE SITES UNTIL THEY'VE FIXED THE VULNERABILITY!
A bit of background information:
This bug abuses the "TLS heartbeat" function, allowing for a malicious packet to force the server to read random memory off the stack. This renders anything stored in memory, including passwords, private keys, user sessions, etc, completely vulnerable.