Heartbleed is Huge, Experts Say More Than Half of All Web Servers Are Affected

Yesterday, independent security researchers made public that a critical vulnerability in the widely popular cryptographic software library, OpenSSL had been discovered. The vulnerability, known “Heartbleed” allows anyone on the Internet to read the memory of systems protected by multiple versions (specifically version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers) of OpenSSL. At this point an update for OpenSSL has been issued and now it’s up to the system administrators to patch servers.

People with malicious intentions can use this vulnerability to gain access to users’ passwords and/or fool people into using bogus versions of Web sites.

As of today, April 9, there are conservative estimates that nearly 2/3 of all web servers have been affected by Heartbleed.  Scary stuff.  Thankfully, developers have made it easy to find out whether your server is affected.  If you go to this site, you can put in any URL and it will tell you whether or not that server is vulnerable.  Also, be sure to read the FAQ to clarify the messages the test sends back to you.

You can also check out this running list of popular websites and whether or not they are affected.  Not that Yahoo.com is currently affected by this vulnerability, I assume they will be patching it very soon.