Heartbleed is an error in OpenSSL, the open-source encryption standard used by many websites that need to transmit the data that users want to keep confidential. For instance, this is used when you’re sending an email or chatting on IM. This encryption works by making it so that any data being sent apparently looks absurd to anyone but the intended recipient.
Sometimes a computer might want to verify that there’s still a computer at the other end of its secure connection, sending out what’s known as a heartbeat, a small packet of data that asks for a response. But due to the programming error in the implementation of OpenSSL, it is possible to send a black-outed packet of data that appears like one of these heartbeats to trick the computer at the other end, making it send data stored in its memory.
This error was first reported to the team behind OpenSSL by Google security researcher Neel Mehta, and independently found by security firm Codenomicon. The most disturbing news was that this code has been in OpenSSL for about two years, and unfortunately, using it doesn’t leave a trace.
Web servers can keep a lot of information in their active memory: usernames, passwords, the content that users have uploaded to a service, and even credit-card numbers could be pulled out of the data sitting in memory on the servers that power such services. So it’s obvious how bad this could be, especially because the flaw made it possible for hackers to steal encryption keys, codes used to turn encrypted data into readable information, meaning that unless the vulnerable companies running this servers change their keys, even future traffic could become sensitive.
There is a probability that PC and smartphone owners to be affected by Heartbleed, Codenomicon reported that they can be affected directly or indirectly:
“OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.”
Netcraft looked at nearly 959,000,000 websites, 66% of this sites are powered by technology built around SSL, and that doesn’t include email services, chat services, and a variety of apps available on every platform.
Unfortunately the vulnerability has been in the OpenSSL for almost two years, and using it leaves no trace, that being said, you can consider yourself affected, your accounts may be already compromised.
The first advice would be to change your online passwords, especially for services where privacy and security are major concerns. Though many sites haven’t upgraded to software without the bug, changing them still might not help.
Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks. Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.
Tumblr, the Yahoo blogging platform, has already advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.
Professor Alan Woodward from University of Surrey suggests the following rules should be observed when picking a new password:
Don’t choose one obviously associated with you, because hackers can find out a lot about you from social media.
Choose words that don’t appear in a dictionary, hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters, you can use a word or phrase that you can easily remember but where characters are substituted, like Myd0gha2B1g3ars!
Have different passwords for different sites and systems, if hackers compromise one system, you do not want them having the key to unlock all your other accounts.
Keep them safely, with multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested, in that sense it’s a good idea to change the passwords on all the updated web portals”, said Ari Takanen, Codenomicon’s chief technology officer.
It appears that Yahoo was not included on the list of organizations warned by Google about this issue, Cnet reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
“Our team has successfully made the appropriate corrections across the main Yahoo properties – Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr – and we are working to implement the fix across the rest of our sites right now,” said a spokeswoman for the company.
Security companies have already developed tests that can reveal if a service remains vulnerable to the flaw:
“I think there is a low to medium risk that any given password has been compromised. It’s not the same as previous breaches where there’s been confirmed password lists posted to the internet. It’s not as urgent as that. But changing your password is very easy. So it’s not a bad idea but it’s not something people have to rush out to do unless the service recommends you do so”, said Dr Steven Murdoch.