The Heartbleed bug is in the news. The bug, found in a software library used in servers, operating systems and email / instant messaging systems. OpenSSL or open-source secure-socket layer provide cryptographic protocols designed to provide secure communications over the internet. SSL uses the X.509 or public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) security. The core library implements basic cryptographic functions and provides various utility functions. The vulnerability was initiated when the maintainer of Debian (open-source product for operating systems) issued a patch to prevent the Valgrind analysis tool from initiating error messages. Apparently, the patch was not adequately tested. The patch broke the random number generator. This occurred with the Debian release of September 2006, version 0.9.8c-1. Some sources contend the bug occurred in 2011 and 2012.The result is that any key generated with the broken number generator, along with any encrypted data, was compromised. These problems were recently corrected. However, any data transmitted in the mean time, including any user names and passwords are compromised. The good news here is that the bug was not intentional and the discovery is through peer review and not through some form of hacker, although some sources contradict this latter position. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. On April 12, 2014, two independent researchers were able to steal private keys using this attack from an experimental server. Also, some sources indicate the US National Security Agency also discovered the bug but kept this news to itself in order to exploit it. http://www.bbc.com/news/technology-26935905 http://en.wikipedia.org/wiki/OpenSSL http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/X.509 http://en.wikipedia.org/wiki/Heartbleed