Hey Everyone,
I am a little late to post this warning but recently there has been a vulnerability in the Open SSL application that allows hackers to exploit SSL and capture data even though it is supposedly secured via a SSL certificate
The hacker can exploit this flaw without leaving a trace no logs or security appliance that is vulnerable to this flaw would be able to detect that it was happening or it has happened the exploit allows the attacker to leak the information from the server memory to the client and vice versa
The exploit name is Heart bleed
At this point all major websites like Ebay/Paypal have been notified and most have taken action to patch this vulnerability
This requires all web-server administrators to update their software on the affected web-server and revoke and renew their SSL certificate this will resolve the bug and re-secure the web-server
For users who want to know if the website they use is affected they can use this web tool http://filippo.io/Heartbleed/
This will check if the server administrators have patched the server and updated the certificate
All users should reset all of their passwords for each site that has tested Ok with the tool and while you are there if that particular website has 2factor authentication as an option now would be a great time to enable it as if the user had this enabled your account would be safer
For server operators you must take action now see below for the link to update your open ssl libraries
https://www.openssl.org/news/secadv_20140407.txt
after then you must revoke your certificate and have one re-issued
See below for statement from Open ssl
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
For more information see the CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160