Oooh, the scary Heartbleed Bug. Actually, if you’ve been keeping up with the news, you may have heard of this and should know that it’s a pretty serious security issue impacting sites using OpenSSL. Right now, Google is returning almost two million search results for the term – so it’s being talked about. A lot.
So above I mentioned OpenSSL, what’s that? Simply put, it’s a cryptographic library that many websites and businesses leverage to secure communications between you and them, preventing outsiders from seeing the exchange. Think of it as being in a whispering gallery … where you don’t expect others would be able to overhear your conversation, but they can, should they choose to.
Enter Heartbleed, a nasty bug that’s been running undiscovered in the wild for over two years. So wait, what the heck is Heartbleed? Glad you asked, this is the technical description from http://heartbleed.com:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
So in english please?
Basically, this bug has existed for the last two years, completely undetected. During that time, websites using a vulnerable version of OpenSSL could have exposed user data without even knowing it.
- Worst case scenario: sensitive information such as credit cards, bank statements, email passwords, etc. could have been stolen.
- Best case scenario: this bug wasn’t discovered or exploited. Don’t count on this.
How can I tell if a site I use has been exploited?
No way to know at this time, if you have concerns then you should contact the site in question.
What sites should I worry about?
Mashable has been compiling a list of popular sites, if they were vulnerable, what fixes have been applied and if you should need to take action:
It should be noted that this is not a completely comprehensive list, smaller sites may or may not have been impacted. You should contact those sites directly if you have concerns.
What about self-hosted sites, how can I check?
You can test any site for CVE-2014-0160 (Heartbleed) here:
Are you some sort of expert on this, can I contact you?
Nope, I’m not an expert on this particular security issue. Just a concerned netizen who felt compelled to post about it. There’s a vast wealth of information on the Heartbleed site: http://heartbleed.com/, I encourage you to review it. And of course if you have questions about a specific entity, you can always contact them directly.