Online security experts have uncovered a major flaw in a key safety feature used for surfing the internet, so JOE takes a look at what exactly is going on and whether you should you be worried…
So, what is this “Heartbleed bug” that everyone is talking about? Well it’s an online security flaw that has gone undetected by security analysts for over two years.
It affects websites that use OpenSSL, which is software that encrypts your passwords, credit card numbers and personal information into a series of zeros and ones to ensure that your info isn’t stolen online. If you see a website that has ‘https’ in the URL along with an image of a closed padlock (see below), chances are that the site in question was using OpenSSL and was left open and vulnerable for the past two years.
From time to time your computer might send out a “heartbeat”, or request, to ensure there’s still an active connection at the other end of the internet. However, security researchers at Codenomicon found that due to an error in OpenSSL, a packet of data could be made to resemble one of these computer ‘heartbeats’ and used to steal supposedly secure data. Business Insider explains: “Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.”
This flaw has also made it possible for hackers to steal the encryption keys used by websites to turn your personal info into zeros and ones, making it easy for them to find credit card numbers and other information. To make matters worse, using the flaw as a “backdoor” entry doesn’t leave a trace, so hackers could have potentially been able to access all this supposedly ‘secure’ data for the past two years without anyone ever knowing.
So, the big question that is on everyone’s lips… Has the bug affected me personally? The answer is: possibly.
Security firm Codenomicon says: “You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.”
So what to do now? Should you change all your passwords? Sadly, yes; changing your passwords on websites that contain your personal information looks to be the safest option. Better to be safe than sorry… You could always leave your passwords as is, but it will leave you vulnerable to future attacks.
HOWEVER, changing your password will only make a difference if the website you’re using has updated their flawed OpenSSL software. If the site hasn’t updated then it will still be vulnerable to attacks and changing your password won’t make a blind bit of difference.
Thankfully, an Italian cryptographer named Filippo Valsorda has launched the “Heartbleed Test,” which can tell you if certain websites are still compromised.
So, to summarise; The Heartbleed bug actually is a fairly big deal and the only way to ensure your personal info is safe is to change your passwords after the websites that you store your information on have updated their own flawed OpenSLL software.
For more information on this issue, head over to Heartbleed.com.
Pic via Heartbleed.com.
LISTEN: You Must Be Jokin’ podcast – listen to the latest episode now!
