What is Heartbleed?
It’s a flaw in an open source line called OpenSSL, the mechanism that keeps the transfer of information secure on many, many online sites and services. This includes when you instant message, when you log in or out of a site and when you send credit card information, to name a few things. When data is encrypted, it looks like jibberish to anyone but the intended recipient. To make sure the intended recipient is on the other end, a small bit of data, know as a “heartbeat” is sent out from one computer to another. If the data gets a response, the destination is verified and the information is released, securely. Heartbleed is a flaw that allows a fake packet of information, or fake heartbeat, to get the same verification as a real one.
How do hackers use it?
Hackers could potentially use the flaw to access encrypted data — think credit card information, instant messages and logins and passwords. Codenomicon, the company that discovered the flaw, attacked itself, and was able to steal the keys used for user names, passwords, instant messages, emails and critical documents.
How serious is it?
Computer security expert Bruce Schneier said on a scale of 1 to 10, this is an 11. The Canada Revenue Agency, Canada’s tax bureau, shut down its website to protect against Heartbleed. Your personal information has potentially been exposed for two years.
Why are we only hearing about it now?
Security researchers only discovered it recently, but it went undetected for two years. We don’t know whether or not it’s been exploited all this time, or whether anyone took advantage of the flaw until it was announced Monday.
Can it be fixed?
Yes, but it’s not that simple. Usually, bugs in software can be fixed easily with extensions or updates. But, because the vulnerability has been exposed for two years, and most of the internet’s secure connections run on OpenSSL, it’s a lot more complicated.
When will it be fixed?
The current version of OpenSSL has the glitch that makes the program vulnerable to hackers. A fixed version, called Fixed OpenSSL, has been released but it is up to service providers to install it as it becomes compatible with their software.
So should I change all of my passwords?
Not yet. Your service providers, like your bank, email server and other online accounts will send out a notice when the Fixed OpenSSL is active on their platforms.
Will I know if I’ve been attacked?
No. Again, Codenomicon hacked itself without a trace.w.
How much of the web is affected?
Codenomicon says roughly 2/3 of the sites use the extension that is vulnerable to the Heartbleed bug. Open source web servers like Apache and nginx use OpenSSL, and their combined market share of active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey.
How was it discovered?
A team of security engineers (Riku, Antti and Matti) at Finnish computer security firm Codenomicon and Neel Mehta of Google Security first reported it to the OpenSSL team. The Codenomicon team found it while working on improvements to their defense software.