Well, that doesn’t look good…
You might have been hearing a lot on the news and over the internet lately about a thing called “Heartbleed”, and how a lot of your passwords and various log-in information across websites may be compromised. It’s kind of a big deal conversation, so let’s talk about what you need to know about the issue.
The Short Explanation
Heartbleed is a bug that affects the way your browser talks to a website over an encrypted channel. Someone wanting to use this bug maliciously could theoretically take advantage of it to unravel the securities put in place by sensitive online locations like bank websites or e-commerce sites, and steal passwords and other sensitive information. Not cool.
The Longer Explanation
Heartbleed is a flaw in the OpenSSL implementation of SSL, a basic cryptographic protocol that secures Web communications. It’s been hiding in the OpenSSL software for a long time. SSL stands for “Secure Socket Layer”, and essentially makes your connection to a website that requires the transmission of private information (like credit card numbers and Social Security Numbers) to be encrypted and secure. For instance, you know SSL is being used on a website like Amazon.com because of the “s” at the end of the “http” line in the web address (the lock image is a nice touch, too).
Note the “s” at the end of the “http” line.
Basically, it makes it so that your neighbor can’t “see” what you’re doing over your connection while you’re shopping or banking or whatever.
OpenSSL is the open-sourced version of SSL, and is used pretty heavily by the Apache and nginx Web servers. These two servers combined power what amounts to be almost two-thirds of all active websites on the internet, which is a lot!
The bug Heartbleed affects an extension in OpenSSL called “heartbeat”, essentially making it possible for malicious users of the web to request data from a Web server’s memory and “see” that previously secure data. That kind of data could include sensitive information. People abusing this flaw could then take that data and impersonate services and users.
The Problem in a (reasonably sized) nutshell
Data leakage is obviously the main issue. A companion problem to this issue is that it’s actually really difficult to tell if someone is exploiting this bug, which makes it really difficult to tell if you are or have been a potential victim. Since the bug has been around since around late 2013, it’s possible that there’s been a lot of undetected shenanigans going on all over the internet if people of questionable character have come across the bug. There’s a lot of room for these people to have messed with a lot of secure data and communications.
Since you can’t actually tell if a site you’ve visited or a site you own has been a victim of inappropriate activity, the best you can do is the following:
- Test your site or the site you’re visiting to see if it’s vulnerable. You can do that by following this link and following the instructions there.
- If you find out a site you own is vulnerable, update your version of OpenSSL to version 1.0.1g, which addressed the Heartbleed problem.
- As a general user of the internet, a good idea might be to change your usernames and passwords for sites you do business with. Just make sure the site has addressed this problem first, or the credentials update will be a little moot; if the security problem hasn’t been fixed yet, you’d just be providing new data that could just as easily be stolen.
For more information about the Heartbleed bug, you can visit Codenomicon.com for the latest news or Heartbleed.com for more in-depth information about the bug.