On 7 April, OpenSSL released a Security Advisory exposing a flaw which, if exploited, would allow hackers to reveal communications between servers and the computers of Internet users.
OpenSSL is the most popular open source encryption service on the Internet, and is used by a large number of commercial and private service providers, including many social medial sites, email providers and instant messaging platforms. The tool is used to encrypt information passed between Internet users and website operators, and the encrypted communication should have only been capable of being decrypted by the particular service provider.
When exploited, the security flaw, dubbed “Heartbleed”, revealed the encryption keys of service providers using the system. Once decrypted, the hackers essentially had unrestricted access to the communications. OpenSSL has released an update to address the security flaw; however, service providers will find it impossible to assess whether the security of their systems has been compromised, making the situation particularly serious. In addition, the update will only protect future communications, and therefore any that may have already been intercepted will remain vulnerable.
Internet users are being advised to change all of their passwords, and in particular those for important services such as Internet banking.
The security flaw is likely to raise data protection issues for organisations, and it may behoove users of OpenSSL to take a proactive approach to communicating with their customers about security issues. Those organisations that have suffered a security breach may be under a duty to notify individuals, and could be subject to adverse publicity, as well as litigation and regulatory investigation.