What You Need to Know About Heartbleed
By Tracey Dowdy
When we hear that major tech companies and websites are scrambling to close security gaps in their systems, most of us have no idea how to respond. Does it impact us as individuals? Is our data compromised? Do we have to change every password for every site we’ve ever visited?
What is Heartbleed anyway?
Heartbleed is a security flaw in OpenSSL, a common data encryption standard. (OpenSSL basically gives you a secure connection when you’re online.) It’s important to note Heartbleed is a not virus; it’s a bug. A computer virus works on the same principle as a biological virus, tricking the host into replicating it and thereby infecting the computer. A bug is a defect or flaw in a computer program.
Heartbleed is an issue because of one of those flaws. To make sure there’s still an active computer on the other end of a connection, another computer or server may send out a packet of data – a “heartbeat” – to get a response. Hackers have figured out they can “lie” about what’s in this packet, which tricks the other computer into padding their response with the missing data.
Not only do hackers have access to your secure information like credit card numbers and passwords, they’ve also been able to steal encryption keys – code used to translate coded data into readable text.
We’re just now learning about the flaw but it’s been around for two years, and it’s difficult to know which sites have been compromised as it doesn’t leave a trace.
Is it as bad as it seems?
The short answer is yes. The slightly longer answer is maybe not.
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commercial sites, hobby sites, sites you install software from, or even sites run by your government might be using vulnerable OpenSSL.” Business Insider.
The researchers who discovered the loophole in security notified the OpenSSL developers before they made the discovery public, so repair and data recovery was already underway before it made headlines.
If you’re still confused as to whether or not to change your passwords, you’re not alone. Depending on whom you ask, some experts are saying you should jump in and change your passwords immediately while others say it may be better to wait. If the site hasn’t made the necessary changes to plug the leak, changing your password won’t matter as the site is still vulnerable. CNET has compiled a list of the top 100 sites across the web, noting who was affected and whether a patch has been put in place. The list is updated each time a site responds, so it’s worth checking back to stay up to date.
Stephen Farrell, a cryptologist at Trinity College, Dublin offers this advice: “Don’t panic…People who administer servers should be, or have finished, patching. I think all mine are done. And ordinary people should be, as always, using up-to-date browsers.”
Tracey Dowdy is a freelance writer based just outside Toronto, Ontario. After years working for non-profits and charities, she now freelances and researches on subjects from family and education to pop culture and trends in technology.