Security

What to do about Heartbleed, a gaping security hole affecting 66 percent of the Internet (at least)

Cyber Security

There’s a security flaw in one of the basic encryption tools used by a huge number of websites, and it probably affects you.

Just to be safe, you should probably change your passwords. All of them.

Update 4/9: Before you change passwords on a site, first check to see if it is vulnerable to Heartbleed. Don’t change your password until you know it’s safe.

The flaw goes by the appropriately scary name “Heartbleed,” and it affects OpenSSL, a data encryption library used by — potentially — more than two-thirds of the Internet’s websites.

The terrifying Heartbleed bug's logo.

Above: The terrifying Heartbleed bug’s logo.

Image Credit: Heartbleed.com

In short, the bug means that attackers can “listen in” on communications between those websites and the browsers visiting them.

That “lock” icon that appears in your browser to indicate that you’re communicating with a secure website is an indication that your browser is using SSL. If it’s doing so with a website that’s using a relatively recent version of OpenSSL, your data could be compromised.

The flaw exists in versions of OpenSSL that have been in use for about two years, and no one knew about it — no one legitimate, anyway — until a few days ago. Since then, the security researchers who discovered the bug have notified some of the major affected websites as well as the organization responsible for OpenSSL, which has already issued a fix. They have also published an informational web site, at Heartbleed.com. That means major web sites should be fixed soon, if they aren’t already — but given how widespread the bug is, it may be weeks, months, or even years before the affected version is completely out of distribution.

“Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously,” the researchers wrote on Heartbleed.com.

If any malicious people knew about the bug before it was first widely publicized yesterday, they could have been using it to snoop on supposedly secure browser-server communications for as long as two years — since the first vulnerable version of OpenSSL appeared in December 2011. That means the bad guys may already have your passwords.

At least one major service, Yahoo-owned Tumblr, has already advised its customers to change their passwords.

A list posted to Github early today lists a large number of sites whose servers were vulnerable to the Heartbleed exploit, including Yahoo.com, Stackoverflow.com, Outbrain.com, OKCupid.com, Steamcommunity.com, Slate.com, Entrepreneur.com, and many more. Many of those sites may have since been fixed.

The flaw was discovered by a team of security engineers at Codenomicon as well as by Neel Mehta of Google Security, who was the first to report it to the OpenSSL team, according to the Heartbleed website.

For more information about Heartbleed, check out The Wire’s consumer-oriented primer and The Verge’s technical explanation.