OpenSSL, used by a host of companies and services to encrypt their data, contained a flaw for two years that, if exploited, allowed external parties to extract data from a server’s working memory in 64 kilobyte chunks. That’s not much, but it was a very repeatable exploit, meaning that nefarious parties could hit the 64 kilobyte button again and again. Eventually, presumably, you would get the golden ticket: private encryption keys. With that, you could decrypt sensitive, protected data, and no one would be the wiser. Here’s why this is even worse than you first thought: Even if you patch OpenSSL, you don’t know if your servers were previously compromised. You can throw out the old keys and generate new ones, but that only protects you moving forward.

OpenSSL Heartbleed Bug Leaves Much Of The Internet At Risk | TechCrunch Tuesday, April 8, 2014 @ 9:59pm