Bug interferes with software that secures user information

On April 7, Neel Mehta, a researcher from Google, and a security company named Codenomicon announced an Internet bug in a widely employed software that secures users’ personal information on the web.

In an advisory to users in the country, the Computer Emergency Response Team of India, a nodal agency, has categorised the problem’s severity as “high”.

Ominously named Heartbleed, this bug interferes with the regular function of software called OpenSSL by causing it to spill the secrets, it’s tasked with protecting, to malicious attackers.

When users key in their personal information on a website and hit ‘Enter,’ the data is on the Internet travelling between your computer and the site’s server. To safeguard it, the site uses OpenSSL (SSL refers to Secure Sockets Layer) to encrypt it — turning it into an incoherent jumble of characters — using an encryption key.

With Heartbleed in the picture, OpenSSL allows malicious messages sent to the server implementing it to potentially hand over the encryption key to the attacker.

While most service providers have updated OpenSSL to fix the bug, this SSL standard has seen rampant adoption in the last couple of years and many sites could still be vulnerable.

Describing its potential, Bruce Schneler, a fellow of Hardvard’s Berkman Centre, wrote: “On the scale of 1 to 10, this is an 11,” on his personal blog on April 9.

Companies like Amazon and Google have issued advisories to their customers stating that they have updated their systems and eliminated the threat. Kaspersky, a security firm, advised caution because a Heartbleed attack leaves no traces nor does it give users a chance to protect themselves.