Though the Heartbleed software bug remains a serious threat to online security, some tech-security experts are saying it might not be as bad as originally feared though, as always, other experts disagree.
The Federal Financial Institutions Examination Council this week told banks and other financial institutions to make sure they and their customers are protected against the Heartbleed security hole, specifically by “incorporat[ing] patches on systems and services, applications, and appliances using OpenSSL, and upgrad[ing] systems as soon as possible to address the vulnerability.”
However, most banks responded by saying they and their accounts were never at risk in the first place, since they don't use Open SSL anyway.
American Banker reported that Bank Technology News tested the websites of various banks with a “Heartbleed bug checker” and determined that, of the tested sites, only Citigroup's was deemed “Possibly Unsafe,” due to potential use of OpenSSL encryption.
The bug has been found in routers and other Internet hardware made by Cisco and Juniper Systems, leaving open the possibility that hackers could steal any information passed along those systems; it's possible such compromised hardware will have to be replaced rather than merely patched.
Possible good news
On the other hand, there's possible good news from CloudFlare, the content-distribution network which first discovered the Heartbleed bug.
When news of Heartbleed first came out, security experts worried about a worst-case scenario wherein the bug might give hackers the private SSL keys of various websites. If that happened, those websites would remain vulnerable for months or even years after the initial Heartbleed security holes were patched.
However (as of Friday afternoon), it appears that private SSL keys are safe.
CloudFlare put up a new “Heartbleed Challenge” website (unconnected to its regular servers), deliberately designed to be vulnerable to Heartbleed. The challenge asks visitors “Can you steal the keys from this server” and as of Friday afternoon the answer remains “no.”