One second everything on the Internet appears normal, and the next thing you know, everyone is talking about some security bug called “Heartbleed” that’s out to get us all. So what is it, and is it as scary of a problem as it seems to be?
To put it simply, it’s a bug that’s existed for two years, recently discovered by researchers at Google and a Finnish security firm called Codenomicon, and it could affect anyone who uses the Internet, so yes, it’s pretty darn worrisome.
Security researchers started warning web sites yesterday afternoon that the popular bit of software many, many sites use to encrypt communications, OpenSSL, had been hit with a bug on March 14, 2012, reports the Wall Street Journal. That bug could allow an attacker to access the encryption keys used to keep the info you send to companies private — credit card numbers, passwords, email addresses, you name it.
This is a powerful bug, there’s no doubt — and it could have been scraping info here and picking it up there for the last two years. To that end, major web site operators immediately started scrambling to fix the issue. A Yahoo spokeswoman said the company had “made the appropriate corrections” — this after several researchers said they were able to grab multiple Yahoo usernames and passwords.
The company said:
“As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.”
Google, Amazon and eBay appeared to be safe, according to a test created by cybersecurity company Qualys.
So what can you do?
Because OpenSSL is used widely all across the Internet, it’s hard to tell who’s been affected and whether or not a site has fixed the issue. The first thing you can do is of course, check all your accounts for any suspicious activity and change your password.
Try to avoid security risks like shared Wi-Fi networks, which can allow attackers easier access to your information if they’re sharing a network with you.
But other than that, it’s mostly up to Internet companies to patch their software and get their SSL keys revoked and regenerated, notes NPR’s All Tech Considered. And it’s really up in the air as to when that will happen.
It appears the best answer right now is just to well, stay away, if you can. Yes, from the Internet.
“If you need strong anonymity or privacy,” the president of the Tor Project, a web service used to obscure Internet users’ identity, wrote in a blog post, “you might want to stay away from the Internet entirely for the next few days while things settle.”
Common Web Security Tool Is Flawed, Researchers Say [Wall Street Journal] The Security Bug That Affects Most Of The Internet, Explained [All Tech Considered]