A software flaw called ‘heartbleed’ affects countless web and email servers worldwide. Heartbleed gives attackers the chance to steal cryptographic keys that are used to secure online commerce and web connections via OpenSSL. Since the flaw also affects email servers, attackers can get their hands on personal information as soon as someone logs on to a vulnerable email server.
SSL is an encryption protocol designed to provide a secure data transmission via Internet. It is the most common technology to secure websites. By using techniques like Public Key Encryption, the SSL creates a certificate which contains information about the server. The SSL protocol provides authentication of the server with which the browser communicates to ensure its legitimacy.
Cybercriminals are not only able to read the encrypted data because of heartbleed, but take the encryption key used to secure the data. So simply patching the bug doesn’t help to solve the heartbleed problem. Affected servers have to update all their keys to make sure the encrypted data is safe again. What the heartbleed flaw means for site-operators and software vendors can be read on Kaspersky Lab’s security blog Threatpost.com