Three questions about the 'Heartbleed' bug

A group of security researchers uncovered a major vulnerability in the encryption technology used by millions of websites.

Heartbleed is a security flaw discovered by security firm Codenomicon and members of Google Security. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

Here are three key questions about the vulnerability:

1. What is Heartbleed?

It's a major bug that affects the technology used to encrypt sensitive information. Ever log in to email or your banking account and notice the "HTTPS" and green lock? That's SSL/TLS, and OpenSSL is among the most popular variants of it.

Heartbleed is a leak in that system that lets anyone read the memory of servers running OpenSSL. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content," reads a statement from a Heartbleed website set up by Codenomicon to explain the bug. "This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Codenomicon says it's not clear whether the vulnerability has been abused, but since Heartbleed has been exploitable for a long time, it's difficult to determine whether any service is completely safe.

2. What sites are affected?

Citing an April survey from research site Netcraft, Codenomicon's Heartbleed website says roughly two-thirds of active sites on the Internet run OpenSSL. So, yeah, a lot.

Among the big names affected was Yahoo, which is running OpenSSL. In a statement to the AP, Yahoo says its bigger services such as Finance and Tumblr have been fixed, but they're still working on other Yahoo products. Tumblr is urging its users to change their passwords as soon as possible.

"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue," says Tumblr.

A Heartbleed test has been created that lets users plug in a website name to determine if it's safe. Qualys also hosts a similar inspection of SSL. Vox reportsGoogle and Facebook have addressed the issue, while Microsoft is monitoring the situation. Amazon says it updated its services to address the bug.

3. How can I protect myself?

That's the tricky part. Security experts tell the AP a password change won't help if the services affected by Heartbleed aren't updated.

Codenomicon says many large consumer sites should be safe, but sites that will likely feel the strongest impact are "smaller and more progressive services or those who have upgraded to latest and best encryption."

But it's clear many Internet users will soon be busy updating their accounts across all services. "This might be a good day to call in sick and take some time to change your passwords everywhere," says Tumblr.


To find out more about Facebook commenting please read the
Conversation Guidelines and FAQs

Leave a Comment