The announcement yesterday of a widely deployed vulnerability in OpenSSL, the Heartbleed Bug, is set to shake up the security industry.
According to the discoverers at Codenomicon and Google, all Apache web servers and most recent distributions of open source operating systems suffer from this bug in the way a SSL heartbeat function works. An attacker can easily access encryption keys, usernames and passwords, and other data stored in memory of a vulnerable server. Malicious servers can easily do the same to all clients that connect to it.
This is bad.
Read the full description and Q&A at heartbleed.com
The impact of this revelation is going to be wide spread. Certificate Authorities are going to be busy re-issuing keys and should consider waiving fees for the duration of the emergency.
No fix of this magnitude ever gets deployed completely. Attackers will be using this vulnerability for years to come. There will be many breaches of organizations who do not have the processes in place to discover where this vulnerability exists in their systems, let alone quickly apply patches and fixes to their web and other services.