OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it. If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products. Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code. They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials. This vulnerability allows anyone on the internet to read the memory of the system protected by the bug-affected code. In this way, they can get the keys needed to decode and read the data, according security researchers at the Finnish firm Codenomicon who discovered it. The bug is independently discovered recently by Codenomicon and Google Security researcher Neel Mehta. The official name for the vulnerability is CVE-2014-0160.

To read more, visit:

http://www.cbc.ca/news/technology/heartbleed-web-security-bug-what-you-need-to-know-1.2603988