Last night, while the mainstream press was yammering on about the security implications of Microsoft ending support of Windows XP (it's already vulnerable, this won't really change
anything), a much bigger issue was concerning security folks. A massive vulnerability in OpenSSL, called Heartbleed
, was revealed. As Matt Blaze notes, the bug actually leaks data beyond
what it's protecting, which makes it worse than no crypto at all
. The vulnerability likely impacts a huge number of servers
-- including Yahoo's (many other major sites, including Google, Facebook, Twitter, Dropbox and Microsoft are apparently not impacted by this). Oh, and the vulnerability has been there for years. Over at the Tor Project, they made the most succinct statement of how serious this is
If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.
Of course, that also means that if you needed strong anonymity or privacy on the internet, there's a good chance some of the services you use left you vulnerable for quite some time until now.