With the keys, attackers could decrypt traffic to and from the server; impersonate the server so that users who think they're visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server's databases, including their users' personal information, such as usernames, passwords, email addresses, payment information and more.
Web servers that use or used vulnerable versions of OpenSSL need to do more than upgrade to the latest version of OpenSSL; they also need to revoke and reissue all of their encryption certificates. It's no use boarding up a hole in the wall if the intruders can now let themselves in through the front door.
Who Is Affected?
Administrators of websites using Apache or Nginx server software need to evaluate whether they have, or had used, vulnerable versions of OpenSSL. Such websites should be considered compromised.
OpenSSL is also incorporated into email servers using the SMTP, POP and IMAP protocols; chat servers using the SMPP protocol; and most virtual private networks (VPNs) that use SSL to protect their networks.
Want to check if an individual Web domain is affected? Cloud security company Qualys' SSL Labs has created a test.
"Ironically, smaller and more progressive services, or those who have upgraded to the latest and best encryption, will be affected most," wrote the Codenomicon researchers in a thorough write-up on the Heartbleed bug.
Many large consumer sites are not vulnerable to the Heartbleed bug, the researchers said, because those sites tend to be slow to adopt new security measures and have failed to upgrade to modern Web architecture. (They might, of course, be vulnerable to other kinds of attacks.)
What Should You Do?
Unless you're a system administrator, there's not much you can do right now. We can't even recommend that you change your online passwords — not yet, at least. If a website hasn't upgraded its OpenSSL library and changed its encryption certificates, then a new password would be just as compromised as an old one.
The vulnerable versions of OpenSSL are 1.0.0 through 1.0.1f. If you're a website administrator and can't upgrade to the newest version, then you can manually disable the heartbeat function and then recompile OpenSSL's code.
Get more from TomsGuide and LAPTOP
This article originally appeared on Toms Guides, a TechMediaNetwork company. Copyright 2014, all rights reserved. This material may not be published, broadcast, rewritten or redistributed.