Like the Shellschock bash bug, the Heatbleed bug is yet anotherdeep-seated, serious vulnerability. This time it is found in the OpenSSL cryptographic software library, an open-source security protocol that is used in about two-thirds of Web servers.
In short, the data or information that is normally protected by the SSL/TLS encryption can now be accessed through this weakness. Affected areas include email, instant messaging (IM), web communication and several VPNs (or virtual private networks).
Effects and Discovery
Heartbleed compromises secret keys that are used to recognize the service providers and to encrypt usernames and their corresponding passwords, traffic and other raw data. In effect, cybercriminals can freely eavesdrop on web communication and perform data theft directly from the services which net users like us assume to be secure. Worse these malicious identities can use this kind of vulnerability to steal identities and impersonate web services.
If it hasn’t been by the team of security engineers at Codenomicon and Google Security,this vulnerability would still go unnoticed. Heatbleed went undetected for two years and for the cybercriminals who have been aware of this, they surely had a lot of time feasting on crucial information from various web communication channels.
According to David Chartier from Codenomicon they were able to discover the vulnerability through their product, Safeguard. As it automatically tests things such as authentication and encryption, the product came across the bug.
How Vulnerable are we to Heartbleed?
Since the OpenSSL is the most popular open source cryptographic library and transport layer security (TLS) implementation that is utilized to encrypt traffic on the net, you are most likely to be affected either directly or indirectly. The social media site you frequently visit, e-commerce sites, company sites, government sites and even the software sites you trust may be susceptible to the Heartbleed bug.
Moreover, you may have a client side software on your PC that could potentially reveal your data if you connect to the compromised service.