With a name like Heartbleed, it’s no surprise it’s bad. A vulnerability in OpenSSL — the Internet’s most commonly used cryptographic library — has been bleeding out information, 64 kilobytes at a time, since March 2012.
“I would classify it as possibly the top bug that has hit the Internet that I’ve encountered, because of it being so widespread, because it’s so hard to detect,” says Andy Grant, a security analyst at iSEC Partners.
Are you affected? Well, users may not even realize they are using OpenSSL. But if you’ve ever noticed that websites you access show an “https” address, and a lock appears next to the address, you’re on OpenSSL.
OpenSSL encrypts your data, including passwords and personal information, when it travels to a server. That means you may enter a password into your online banking site, but as the information for your transaction travels to your bank, it’s jumbled up and made indecipherable — encrypted — as it’s traveling through the Internet. This is supposed to keep hackers from eavesdropping.
Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it’s up to Internet companies to enter fixes for their own software — “swapping out” the cyberlocks that protected their data.
“You’re probably protected from this point going forward,” NPR’s news applications developer Jeremy Bowers told member station WUNC on Wednesday. “The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised.”
While individual users can’t patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.
- Change your password every few months. Because so many of our transactions are conducted online, this is a good practice to have no matter what. But to be extra safe, use two-factor authentication, which typically means you need to know a piece of information — like a password — and have a piece of information, like a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
- Be a little leery of public Wi-Fi networks. If you are hopping on the Wi-Fi at Starbucks and other public places, limit your Internet behavior to the things you wouldn’t mind people being able to find out and transactions that aren’t especially sensitive.
- If you have VPN, use it. If your company or school offers a virtual public network, or VPN, connect that way. It’s still fairly safe.
- Don’t freak out. Sites like Amazon, Google and other major Internet companies have already secured themselves and fixed the vulnerabilities disclosed this week.
- Test to see which sites are vulnerable. LastPass has created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated. Filippo Valsorda and SSL Labs have built a Web app that will test whether a site is still vulnerable to the Heartbleed bug. And Bluebox Security, a mobile security company, built an app that will scan your Android phone to test whether it uses vulnerable versions of OpenSSL, either in its operating system or in any of your apps.