An Internet security flaw known as Heartbleed may be putting your personal information at risk. Here’s what you need to know to understand this new security threat.
UPDATE: According to a June 23 report from PC Mag, over 300,000 servers are still vulnerable to Heartbleed.
1. Heartbleed Could Affect 2/3 of All Web Servers
Even if Heartbleed loses your data, you still have your thoughts: http://t.co/mLV5ocYkzk
— Gizmodo (@Gizmodo) April 9, 2014
CNN explains that the Heartbleed vulnerability could be putting the passwords, financial information, and even private emails of the average person at risk of exposure to hackers.
“Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes.
Cybercriminals could exploit the bug to access visitors’ personal data as well as a site’s cryptographic keys, which can be used to impersonate that site and collect even more information.”
2. You Have Almost Certainly Been Affected by Heartbleed
Internet users advised to change passwords due to widespread 'Heartbleed' bug. http://t.co/LHj5FLOF8K
— UPI.com (@UPI) April 9, 2014
This detailed FAQ about Heartbleed explains just how widespread the Heartbleed problem is. The FAQ states:
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL…
Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most.”
Experts state that changing all your website passwords immediately is a good first step towards protecting yourself from people exploiting Heartbleed. However, some experts believe that changing your passwords may not be enough to fully protect you, particularly if the site you are on hasn’t yet fixed its Heartbleed problem.
3. It Is Impossible to Know Whether You’re Affected
Interesting coincidence that Heartbleed happened on April 8, the same day security support for Windows XP was turned off.
— Dave Winer ☮ (@davewiner) April 9, 2014
The Heartbleed FAQ cited above adds: “Exploitation of this bug leaves no traces of anything abnormal happening to the logs.” It is extremely difficult, if not impossible, to detect whether your data has been exposed through Heartbleed. This means it is equally unlikely that you can trace anyone who has stolen your data through Heartbleed.
4. Security Firm Codenomicon Discovered Heartbleed
Two of the biggest web security issues this year have been caused by coding errors. Heartbleed and Apple's SSL flaw. Code review, do it.
— Tom Warren (@tomwarren) April 9, 2014
CNET reports that security firm Codenomicon discovered the Heartbleed flaw. They were assisted by Google researcher Neel Mehta.
CNET adds that cryptography consultant Filippo Valsorda has published a tool that lets people check Web sites for Heartbleed vulnerability, which can be accessed here. CNET notes Google, Microsoft, Twitter, Facebook, Dropbox, Imgur, OKCupid, and Eventbrite were all found vulnerable by the tool.
5. There Is a Fix for Heartbleed
The video above from Tom Scott offers a non-technical breakdown of Heartbleed.
OpenSSL is aware of the Heartbleed vulnerability. In a brief statement on their site, OpenSSL states:
“Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1…
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.”