Heartbleed: The bug that could affect two-thirds of the web

April 10, 2014 10:31:49 AM PDT
The Heartbleed bug is a flaw in Internet security that very likely affects you. The name sounds dramatic, almost romantic, and kind of Matrix-y, but what is it? Should you be worried about it, or leave this one to the techies?

It turns out that yes, you should be worried, because we all use the websites affected by Heartbleed. From banks to social media, many popular sites and services like Google, Facebook, and even OKCupid were using the software that was made vulnerable, so no one is really exempt.

What is Heartbleed, exactly?

Before we talk about what Heartbleed is, we need to understand encryption. Encryption makes most of us think of secret codes and ciphers, which is part of what actually happens. The basic idea is to keep the information you send safe, so it can only be used by the intended user. To keep that info safe, encryption uses "keys". Imagine you're in an action movie, and to disable the bomb and save the world, you need to turn two keys at the same time. That's (kind of) what encryption is, except the keys are stored on your computer and with the client (the web app or server) and they work automatically.

Now let's get geeky: the Internet has a set of rules for handling security, known as Secure Sockets Layer (SSL). Like other web protocols, there are lots of ways to provide SSL to a website or app. OpenSSL is the most common one: it's free, and designed to be useful in many areas of the web. Tons of web services use OpenSSL, but so do some email services and instant messaging clients. It runs on about two thirds of the web, so even if you don't know it, you probably interact with it multiple times a day.

Can we get back to Heartbleed, please?

Okay, so we all know the Internet has flaws sometimes. It's not perfect, and you should not expect it to protect you. Sometimes, someone else gains access to those secret keys — they fall into the hands of the enemy, so to speak. Heartbleed is a flaw in OpenSSL that lets someone secretly gain access to the keys, make their own copy, and eavesdrop on everything you say (emails, passwords, identity stuff, you name it). That's why Heartbleed is so scary, and the worst part is that it operates in total stealth mode. So much information could be accessed, and you would have no idea.

What can I do to protect my stuff on the Internet?

First, check out these lists from Mashable and CNET to see which sites have been affected. You probably use some of them. Many websites have issued "patches" to fix the problem on their own servers. The problem now is that companies have to reissue digital certificates ? used by web browsers like Chrome to make sure a web server is safe. Websites apply for certificates as a way to give themselves credibility, but now they'll have to get new ones. This process takes time, and in the meantime, the Heartbleed bug is crawling around, looking for vulnerabilities.

Change your password, and — we can't emphasize this enough — don't use the same password for every website. Even if you're sure no one will ever guess it, they're called hackers for a reason. The larger sites are scrambling to fix the bug, but smaller websites don't have the same resources. If you used the same password on small sites or even checking into a random B&B in the northeast, your information could be everywhere.

The big takeaway? While the Internet is always useful and often awesome, Heartbleed reminds us that we need to be very careful while using it.

Load Comments