The Heartbleed Bug is a vulnerability in OpenSSL. Up until April 2014, OpenSSL was thought to be secure.

Why is it called the Heartbleed Bug?

Because it's in OpenSSL's new heartbeat extension. When it sends data from server to client and vice versa, it bleeds memory. Usually this data is encrypted, but the bug allows people to see the keys that decrypt the memory of systems that have been compromised by it. Hackers can see things like usernames and passwords, credit card info, social security numbers through any affected site. Not only that, but it leaves no trace of an attack.

Cisco and Juniper security solutions were affected. Have Milton's?

No. We utilize both OpenSSL 0.9.8 and 1.01g with Heartbeat disabled. Neither version is affected.

What websites have been affected?

Unfortunately, millions of sites have been affected. CNET has released a list of popular sites that have been affected, and whether or not they have been patched.

What can I do to protect myself?

1. Change all of your passwords. Check the list of sites from CNET to make sure they've have been patched before making the change.

2. Test sites yourself! Qualsys SSL Labs has set up a page that tests site for you. Just enter the domain name.

3. Be extra suspicious of sites that want personal information.

4. Track your financial accounts, or place them on a fraud alert.

5. If a site hasn't patched the bug, do not log in to it!

I own a website that is affected. What can I do to fix it?

Update OpenSSL.

Notify users to reset their passwords.

Get a new Certificate from the Certificate Authority.

Who found the bug? I would like to send them flowers.

A team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, reported it to the OpenSSL team.

Find out how our solutions fit into your network.