Heartbleed Bug: Everything You Need to Know
The Heartbleed bug has the internet in an uproar of worry, security updates, and -of course- accusations that the NSA knew about and exploited the bug. It’s one of the most serious security vulnerabilities the internet has seen in recent years. Everyone seems to be talking about it, but what does it mean for the average internet user, and what can we do about it?
Here is everything you need to know about the Heartbleed bug, in convenient list form (we know you love those, internet).
What is Heartbleed?
Hearbleed is the name given to a critical security flaw in the popular open-source cryptographical software, OpenSSL, which left many websites open to data theft, and impersonation.
One might think “Heartbleed” is a name better suited to a lovelorn X-Men villain, than a wide-reaching and rather terrifying security vulnerability, but the title actually comes from a systems admin over at Codenomicon, named Ossi Herrala, who apparently decided it was more poetic than it’s official designation, CVE-2014-0160 (the line of code that contained the actual bug).
So, our choices are Emo Supervillain or Hal-9000′s steroid-using older brother…
According to CNET:
Heartbleed is a play on words referring to an extension on OpenSSL called “heartbeat.” The protocol is used to keep connections open, even when data isn’t being shared between those connections. Herrala “thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory,”…
What Does Heartbleed Do?
This vulnerability could potentially allow hackers and cyber thieves to access user names, passwords, credit card numbers, emails, instant messages, and a slew of other sensitive data normally encrypted by websites.
As if that wasn’t scary enough, the bug makes it possible for hackers to use a server’s digital keys (SSL certificates) to effectively impersonate servers and trick users into using counterfeit websites (think bogus PayPal or Bank Account login pages).
Did Heartbleed Affect the Whole Internet?
No. Granted, OpenSSL is a very popular SSL option, but there are many others in use across the web that did not have this vulnerability. Even many websites using OpenSSL were running an older version that was unaffected, or didn’t enable the specific “heartbeat” feature that caused the security flaw.
If you want to test whether a site is currently affected (or whether affected sites have been fixed) you can test a url here.
How Can I Tell If My Data Has Been Stolen?
Sadly, you can’t. According to the folks over at Codenomicon, the Heartbleed vulnerability “leaves no traces of anything abnormal happening.”
So, What Can I do?
For starters, change your passwords for any affected sites, once you’ve checked to make sure that the site has patched their OpenSSL software. You don’t want to change your passwords, only to find out that the site is still vulnerable.
If you’re not sure whether a site you use has been affected, Mashable has a Heartbleed Hit List that lists the websites whose passwords you should change immediately. Sadly, there are some pretty big names on that list (Facebook, Pinterest, Twitter, and a bunch of others.)
For your own computers, it’s always recommended to have up-to-date internet security software, to protect your own data from potential hackers or malware.