UPDATE 1:15 PM EDT Wednesday: Yahoo has patched its servers, so it's safe to log in again. But change your password immediately after you do so.
UPDATE 5:15 PM EDT Tuesday: Several proof-of-concept attacks have succeeded against Yahoo Mail using this security flaw. Until Yahoo gives the all-clear, please do not log into Yahoo Mail or any other Yahoo sites that require a password.
Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.
The Heartbleed bug, as it's called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site's encryption keys, user passwords and site content.
Once an attacker has a website's encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.
There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.
Websites that are currently vulnerable to Heartbleed exploits include Yahoo, Comixology, Flickr, Imgur and OculusVR. Many other top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.
How the Heartbleed bug works
Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption "libraries" that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.
The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.
An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server's logs. It's impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.
Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven't specified when. They've created a FAQ page at heartbleed.com with full details.
The bug's name refers to a handshake (process of connecting to a network) in OpenSSL's code called the "heartbeat extension," which sets a limit on how long an encrypted session stays valid. A coding error meant that the extension was missing a necessary verification (called a bounds check), thus giving an attacker access to additional information about the server and creating the vulnerability.
The most recent version of OpenSSL, 1.0.1g, patches the flaw, so any websites running OpenSSL should upgrade to the newest version immediately.
However, the damage has been done. Versions of OpenSSL with the bug have been in use for more than two years. If an attacker used the Heartbleed bug to get into a Web server, he would have access to the website's "crown jewels": its encryption keys.
With the keys, attackers could decrypt traffic to and from the server; impersonate the server so that users who think they're visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server's databases, including their users' personal information, such as usernames, passwords, email addresses, payment information and more.
Web servers that use or used vulnerable versions of OpenSSL need to do more than upgrade to the latest version of OpenSSL; they also need to revoke and reissue all of their encryption certificates. It's no use boarding up a hole in the wall if the intruders can now let themselves in through the front door.
Who is affected?
Administrators of websites using Apache or Nginx server software need to evaluate whether they have, or had used, vulnerable versions of OpenSSL. Such websites should be considered compromised.
OpenSSL is also incorporated into email servers using the SMTP, POP and IMAP protocols; chat servers using the SMPP protocol; and most virtual private networks (VPNs) that use SSL to protect their networks.
Want to check if an individual Web domain is affected? Cloud security company Qualys' SSL Labs has created a test.
"Ironically, smaller and more progressive services, or those who have upgraded to the latest and best encryption, will be affected most," wrote the Codenomicon researchers in a thorough write-up on the Heartbleed bug.
Many large consumer sites are not vulnerable to the Heartbleed bug, the researchers said, because those sites tend to be slow to adopt new security measures and have failed to upgrade to modern Web architecture. (They might, of course, be vulnerable to other kinds of attacks.)
What should you do?
Unless you're a system administrator, there's not much you can do right now. We can't even recommend that you change your online passwords — not yet, at least. If a website hasn't upgraded its OpenSSL library and changed its encryption certificates, then a new password would be just as compromised as an old one.
The vulnerable versions of OpenSSL are 1.0.0 through 1.0.1f. If you're a website administrator and can't upgrade to the newest version, then you can manually disable the heartbeat function and then recompile OpenSSL's code.