No, it’s not a medical condition or an ailment of any type. You may not have heard of it yet, but discovered on Monday was the Heartbleed Bug, which is a very serious security flaw that has affected majority of the internet. This bug allows hackers to essentially have access to all of the servers that your favourite websites may be using.
WHAT IS THE HEARTBLEED BUG?
To be technical, the Heartbleed Bug is a vulnerability found in OpenSSL, which is a cryptographic software library. It allows for the access of information, by those who most definitely should not have access to it, that is protected by the SSL/TLS encryption. This encryption provides security over the internet for websites, email and almost every application on the internet that uses some sort of communication. You may recall, when setting up your IMAP or POP3 email in Microsoft Outlook, or Apple Mail, that you have the option of selecting the type of encryption level (SSL or TLS) preferred by your internet service provider (ISP) or email provider.
Essentially this implementation problem, or a programming mistake, of the OpenSSL library, leaks information from the memory components of the server to the client, and vice-versa. This leak allows for clients to have access to three different sets of information. The first is the encryption keys themselves, which allows for hackers to determine and undermine the encryption that may be placed on the website. This is the ‘big-one’ as this would allow hackers to bypass all security, without being noticed. The second set is in relation to individual user names and passwords, while the third set is personal and financial information, such as emails.
HOW DOES IT AFFECT ME, DO I NEED TO DO ANYTHING?
In short, yes and no.
Many popular websites that utilize the OpenSSL encryption have been affected, such as Google, Facebook, and Yahoo!. Meanwhile some others have not, such as Amazon, Paypal and Apple. Some websites that were affected have already issued a fix for the vulnerability, where others are still working towards a solution. If your website has not yet issued a statement in regards to a patch or solution, it is advised to not yet change your password, as this could cause “red-flags” and further increase your vulnerability. If your website has issued a fix to the Heartbleed Bug, then it is advised to go ahead and change your passwords. You should also make sure that if you are an avid online-banker, to keep an eye on your financial statements. Finally, if you have not heard or read anything from a website you log into regularly, do not be afraid to approach them about the security fix. It is your personal information we are talking about here that could be vulnerable.
CNET has put together a pretty extensive list of websites that have, and have not, been affected by the flaw, as well as your next steps that are required for that particular website. You can find that list here.
Some of the more noticeable sites that have already patched the flawed encryption are:
WHAT HAPPENS NEXT?
While this will be a painful process for the security community, it will also be a very good process as well. As this security fix is being rolled out across the internet, many websites who may be a step-behind in their encryption, and software companies who produce operating systems who utilize older versions of the OpenSSL, will have to implement the fix in order to ensure that their users are safe. This fix is a substantial one, and will take time to reach the far ends of the internet, but in the end we will be able to rest knowing that the Heartbleed Bug will not be making us itch any time soon.
If you are looking for more details, and a comprehensive explanation of the Heartbleed Bug, then we encourage you to take a look at Heartbleed.com