It's been a while since there was a computer
security bug that potentially affected a very large number of people.
Unfortunately, it seems like we may all have
been facing one for two years and not even realized it.
Recently security researchers announced a
security flaw in OpenSSL, a popular data encryption standard, that gives
hackers who know about it the ability to extract massive amounts of data
from the internet services that we use every day and assume are mostly
This isn't simply a bug in some application that
can quickly be updated. The vulnerability is in the machines that power
services that transmit secure information, such as Facebook and Gmail.
If you want to know more about the 'Heartbleed'
bug ... read on.
Heartbleed is a flaw in OpenSSL, the open-source
encryption standard used by the many websites that need to transmit the
data that users want to keep secure. It basically gives you a secure
link when you're sending an email or chatting on IM.
Encryption works by making the data being
transmitted looking like nonsense to anyone but the intended recipient.
Occasionally, one computer may want to check
that there's still a computer at the end of its secure connection, and
it will send out what's known as a 'heartbeat', which is a small packet
of data that asks for a response.
Because of a coding error in the implementation
of OpenSSL, researchers have found that it was possible to send a
well-disguised packet of data that looked like one of these heartbeats
to trick the computer at the other end into sending data stored in its
The flaw was first reported to the team behind
OpenSSL by Google security researcher Neel Mehta, and then independently
found by security firm Codenomicon. According to the researchers who
discovered the flaw, the code has been in OpenSSL for about two years,
and using it doesn't leave a trace.
So, how bad is that? ... It's potentially
really bad. Web servers can keep a lot of information in their active
memory, including usernames, passwords, and even the content that users
have uploaded to a service. According to some analysts even credit-card
numbers could be pulled out of the data sitting in memory on the servers
that power some services.
But worse than that, the flaw has made it
possible for hackers to steal encryption keys — the codes used to turn
gibberish-encrypted data into readable information.
With encryption keys, hackers could intercept
encrypted data moving to and from a site's servers and read it without
establishing a secure connection. This means that unless the
organisations running vulnerable servers change their keys, even future
traffic will be susceptible.
Are you affected? .. Possibly, though again,
this isn't simply an issue on your personal computer or your phone —
it's in the software that powers the services you use. You are likely to
be affected either directly or indirectly. OpenSSL is a very popular
open source cryptographic library and TLS (transport layer security)
implementation used to encrypt traffic on the Internet. Your popular
social site, your company's site, commercial site, hobby site, sites you
install software from or even sites run by your government might well be
using vulnerable OpenSSL.
According to a recent web server survey up to
66% of sites are powered by technology built around SSL, and that
doesn't include email services, chat services, and a wide variety of
apps available on every platform.
So what can you do to protect yourself? ...
Since the vulnerability has been in OpenSSL for about two years and
using it leaves no trace, assume that your accounts could be
compromised. You should change your online passwords, especially for
services where privacy and security are major concerns. However, many
sites likely haven't upgraded to software without the bug, so
immediately changing them still might not help.
The researchers who discovered the flaw let the
developers behind OpenSSL know several days before announcing the
vulnerability, so it was fixed before word got out yesterday. We would
expect that most major service providers would already be updating their
sites, so the bug will be less prevalent over coming weeks.
Page dated April 2014