The Heartbleed Bug Explained
We’ve heard about it in the news, and we know that it’s threatened many popular websites. But what exactly is Heartbleed and how does it work?
An Introduction to transferring data online
When data is sent online, it is nothing more than tiny bits of electricity transported through wires to other places. If a hacker taps into one of these wires, he or she could “read” all of the information being transferred. To prevent this, data can be encrypted using a cryptographic protocol called the secure sockets layer (SSL). There are different implementations of this protocol, one of which is OpenSSL–a free, open-source encryption program. Two thirds of web servers–including major players like Yahoo, Google, and Facebook–use OpenSSL to encrypt their data.
These encryptions are exceptionally advanced, and it would take a supercomputer hundreds of years to decode encrypted data. So, while a hacker could still physically tap into a hard wire and collect your data, it would yield illegible code.
This was the case until recently, when a bug in OpenSSL was discovered–now named the Heartbleed bug–that allows hackers to potentially gain access to your server’s encryption key, which could be used to decrypt data.
What is Heartbleed?
Heartbleed is a memory error that may allow hackers to gain access to bits of encrypted information. If this data reveals the encryption key, then all of the data is vulnerable. It was missed by two OpenSSL developers working on bug fixes that made its way into the released version.
The most worrisome aspect is that “exploiting Heartbleed leaves no traces, so there is no definite way to tell if a server was hacked and what kind of data was stolen,” according to Kaspersky blogger Brian Donohue.
Steve Marquess, spokesperson for OpenSSL, wrote an open letter explaining the situation and the need for more financial support for Open SSL to prevent future bugs like Heartbleed. Because OpenSSL is free and has only one paid, full-time employee with eleven volunteers, there’s a lot of pressure on the developers working on the project. He argues in the letter that when so many servers use the program and so few people are able to work on it, problems will inevitably arise.
Where should you go from here?
Are you a user of Yahoo, Gmail, Pinterest, Tumblr, Etsy, GoDaddy, Netflix, Flickr, YouTube, or Instagram? If so, Heartbleed might be giving you heartburn.
Changing your passwords on the sites affected is a great start. Be sure to use a unique password on every site. Mashable provided a list of the sites affected by Heartbleed so that you can see which of your favorite sites were hit. Then, you can use the Heartbleed Test to see if those sites are still affected.