'Heartbleed' bug a critical Internet illness

'Heartbleed' bug a critical Internet illness

SAN FRANCISCO - The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed.

Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website operators and bank officials to Internet surfers and workers who tele-commute being told their data could be in danger.

"Heartbleed is a catastrophic bug in OpenSSL," well-known computer security specialist Bruce Schneier said in a post at his schneier.com website.

OpenSSL is a commonly used software platform for encrypted transactions at "https" websites that Internet users have been taught to trust.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

"This is going to be a pretty devastating bug," Trustwave security research manager John Miller told AFP.

"Even after the majority of it is fixed on the Internet, there will be internal services vulnerable."

Threat widens

The Heartbleed flaw can be found in virtual private network (VPN) software commonly used by workers on the go to securely link with company computer networks.

Computer networking titans Cisco and Juniper put out advisories on Thursday that some of their data-handling gear is susceptible to the bug.

"An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server," California-based Cisco said in an advisory note. "The disclosed portions of memory could contain sensitive information."

Canada's tax agency shuttered its website Wednesday after warning that encrypted taxpayer data could be vulnerable.

OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the Internet.

Web masters have been scrambling to update to safe versions of OpenSSL. The vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

The Tor Project devoted to letting people use the Internet anonymously advised those in need of privacy to stay offline until the Heartbleed threat is ameliorated.

More about

Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.