It seems as though every week or so there’s a new hack or exploit that reveals millions of passwords or important data from a popular web service, and this week is no exception. On Tuesday, IT professionals got word of a serious flaw in OpenSSL — the browser encryption standard used by an estimated two-thirds of the servers on the internet. The flaw, which was dubbed “Heartbleed,” may have exposed the personal data of millions of users and the encryption keys to some of the web’s largest services. Here’s what you need to know:
It’s a bug in some versions of the OpenSSL software that handles security for a lot of large websites. In a nutshell, a weakness in one feature of the software — the so called “heartbeat” extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system. It was discovered independently by a security company called Codenomicon and a Google researcher named Neel Mehta, both of whom have helped co-ordinate the response…
As Tim Lee at Vox points out in his overview, the lock that you see in your browser’s address bar when you visit a website “is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher.” But researchers found it was possible to “send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information…”
If you are a web user, the short answer is not much. You can check the list of sites affected on Github, or you could try a tool from developer Filippo Valsorda that checks sites to see if they are still vulnerable (although false positives have been reported), and you should probably change your passwords for those sites if you find any you use regularly.
RTFA if you want all the gory details. The bug is 2 years old albeit just discovered; so, no one has a clue how long evildoers may have been screwing around with folks’ accounts at sites containing the bug.
I’d suggest reading the list at Github and staying away from sites on the list – until they disappear from the list. Changing passwords – as suggested – at affected sites is a good idea as well. Though I can think of problems happening if you’re pinged while doing exactly that. If and when sites are certified clean, then, change your passwords and do a thorough job of it.
UPDATE: NSA scumbags knew about the bug for two years and used it to break into encrypted communications – rather than notify American companies and consumers so they might protect themselves…http://tinyurl.com/mq8owa2