Researchers today discovered a serious flaw in the security software that keeps two-thirds of the web private. The bug, called “heartbleed,” has been a part of the “OpenSSL” software for two years without being detected. A patch has been written and is being distributed, but web servers running the old version are still affected. Don’t change your password just yet though – that could get stolen too until changes are rolled out.
SSL is a standard for communicating secretly over the internet – and not just for things like chat and email, but for just about any information that needs to be kept safe from prying eyes. Think of it like a way of agreeing upon a secret handshake, so that you always know that your computer is talking to the computer you told it to.
OpenSSL is a library of code, a collection of programs that make it easy for anyone to implement SSL on their computer. Programmers and web admins use this software to ensure that their users’ data isn’t being intercepted by a third party and stolen. OpenSSL is used by two-thirds of servers on the web today to exchange secure information.
The reason the Heartbleed bug is so serious is that it leaks information about the computers’ secret handshake. A hacker could use this bug to pretend to be an authorized computer and to intercept secure information being passed. Because the computer recognizes the handshake, it gives up the information it’s told to.
There are no known instances of the Heartbleed bug being used in the wild to steal data, as it was discovered by researchers testing their own system. Unfortunately, the bug also leaves no trace of its exploitation, which means any attacks would be unnoticed and would need to be identified from some other symptom.
The OpenSSL library is used in web servers, email servers, and chat servers, but not very many people have it installed on their own computer. Therefore, there is little you can do to ensure you’re protected. Even changing your passwords won’t help until servers have been patched, because any affected sites will still be leaking passwords. While the bug has been patched, it takes time for server administrators to update their systems with the new software. The systems of large institutions should be patched within the day, but less-frequently-updated sites could stay infected for a while.
For now we recommend that you change your passwords once you get a confirmation that the server has been patched and check to make sure that no suspicious activity has been occurring. Until more information comes out about any damage caused by this bug, we just won’t know how widespread it is. According to Ivan Ristic, head of SSL Labs at Qualys, “It’s going to get worse before it gets better.”
Update: The folks at Mashable.com have put together a list of major websites and how they’re affected by the bug. It will also tell you if you need to change your password there and the company’s statement on the problem. Check it out here
About The Author: Andrea Eldridge is CEO and co-founder of Nerds On Call, a computer repair company that specializes in on-site and online service for homes and businesses. Andrea is the writer of a weekly column, Nerd Chick Adventures in The Record Searchlight. She prepares TV segments for and appears regularly on CBS, CW and FOX on shows such as Good Day Sacramento, More Good Day Portland, and CBS 13 News, offering viewers technology and lifestyle tips. See Andrea in action at callnerds.com/andrea/.
