April 10th 2014
Heartbleed is the unofficial name for the CVE-2014-0160 bug with the OpenSSL library which has been shown to reveal private information from affected servers. MultiBit uses SSL to ensure you are downloading from the correct site and tests show that multibit.org is NOT affected by the Heartbleed issue.
The Heartbleed bug is in OpenSSL's implementation of the transport layer security protocol's (TLS/DTLS) heartbeat extension as detailed in RFC 6520. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
This particular bug has existed for 3 years and has left a large number of SSL certificate private keys (not Bitcoin private keys) exposed to the Internet. The bug is specific to OpenSSL and is not a failure of the SSL/TLS protocols themselves.
While we use SSL to ensure the legitimacy of the download, we also digitally sign all releases of MultiBit software. This ensures that you can be absolutely sure that you have downloaded a legitimate copy of MultiBit. Instructions for checking the signature are given below.
Here are some related articles: