A vulnerability has been found in the encryption library OpenSSL, used by a huge proportion of web and Internet services. This bug allows malicious users to access bits of memory on the server and potentially read enough information to render the encryption useless.

Worse, having obtained the right data, they could compromise the security of past and future communications allowing eavesdropping, impersonation and stealing of data.

The vulnerability, known as Heartbleed, was found by researchers at Google and Codenomicon. While publicly announced only yesterday (7 Apr), it seems the bug has been present since December 2011, and was part of a release in March 2012.

The various affected Linux distributions have been speedily updated and I updated our servers this morning. We must now wait and see how quickly the fixes will be applied to other servers and systems.

The effect of this bug is serious: it undermines the security protocols used throughout the Internet, and an attack is apparently undetectable in ordinary logs. This means that high-profile websites might be well-advised to renew their security certificates, so that any ‘exposed’ details cannot be used in a future attack.


Been using Flock for about a month now. It’s very good; highly recommended. The browser is built on Firefox and comes with a decent RSS reader, Flickr & PhotoBucket support built-in and blogging capability (from where I’m writing this).

Blogged with Flock

Hack Attempt

Just noticed an attempt to find unprotected admin/phpMyAdmin interfaces on one of our servers. The script appears to try common URLs (below) for PMA, presumably in the hope that the admin has left it wide open. As ever, keep those doors locked and secured!