14 DAY TRIAL // News about the Heartbleed bug hit the Internet like a nuclear bomb. One day, everything was fine and the only threats to user privacy were the NSA and random hackers. Then, the next day, you found out that two thirds of the world’s websites had unknowingly been putting your security at risk.
The bug has been around for about two years, affecting a lot of OpenSSL versions and thus, a whole bunch of sites, including some of the world’s most popular ones.
Since encryption was the topic of the day yesterday, it was revealed that out of the top 1,000 sites in the world, more than half have no SSL protection and 44 are vulnerable to the bug.
Perhaps the biggest surprise of the entire list that included photo site Imgur, torrent sites such as Kickass Torrents, dating site OkCupid and search engine DuckDuckGo, was Yahoo.
One of the world’s biggest Internet companies announced just last week that all its services were now completely encrypted, including the data moving between its own data centers, after it was revealed that the NSA had infiltrated that connection to gain access to unprotected information.
Back in January, the company enabled HTTPS by default on its sites and in March, it enabled mail encryption between its servers and other mail providers that supported the SMTPTLS standard. All search queries running through the Yahoo homepage and most Yahoo properties were also given the same level of protection.
The company was quite proud of itself for implementing the latest standards in security and cryptographers expressed their appreciation of the company’s efforts.
Thankfully, along with announcing the year’s biggest bug, an update for OpenSSL had also been rolled out, effectively patching up the vulnerability. Yahoo has now implemented the update and its sites appear to be protected once more.
Even so, it’s perhaps a really good idea to change your passwords for Yahoo and mainly any other site that has been affected by the problem, just in case hackers have collected the information.
Since any possible attacks left absolutely no trace on affected servers, there’s no way of knowing just how many times the vulnerability was used.