With a name like Heartbleed, it's no surprise it's bad. A vulnerability in OpenSSL — the Internet's most commonly used cryptographic library — has been bleeding out information, 64 kilobytes at a time, since March 2012.
"I would classify it as possibly the top bug that has hit the Internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a security analyst at iSEC Partners.
Are you affected? Well, users may not even realize they are using OpenSSL. But if you've ever noticed that websites you access show an "https" address, and a lock appears next to the address, you're on OpenSSL.
OpenSSL encrypts your data, including passwords and personal information, when it travels to a server. That means you may enter a password into your online banking site, but as the information for your transaction travels to your bank, it's jumbled up and made indecipherable — encrypted — as it's traveling through the Internet. This is supposed to keep hackers from eavesdropping.
Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it's up to Internet companies to enter fixes for their own software — "swapping out" the cyberlocks that protected their data.
"You're probably protected from this point going forward," NPR's news applications developer Jeremy Bowers told member station WUNC on Wednesday. "The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised."
While individual users can't patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.
- Change your password every few months. Because so many of our transactions are conducted online, this is a good practice to have no matter what. But to be extra safe, use two-factor authentication, which typically means you need to know a piece of information — like a password — and have a piece of information, like a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
- Be a little leery of public Wi-Fi networks. If you are hopping on the Wi-Fi at Starbucks and other public places, limit your Internet behavior to the things you wouldn't mind people being able to find out and transactions that aren't especially sensitive.
- If you have VPN, use it. If your company or school offers a virtual private network, or VPN, connect that way. It's still fairly safe.
- Don't freak out. Sites like Amazon, Google and other major Internet companies have already secured themselves and fixed the vulnerabilities disclosed this week.
- Test to see which sites are vulnerable. LastPass has created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated. Filippo Valsorda and SSL Labs have built a Web app that will test whether a site is still vulnerable to the Heartbleed bug. And Bluebox Security, a mobile security company, built an app that will scan your Android phone to test whether it uses vulnerable versions of OpenSSL, either in its operating system or in any of your apps.
AUDIE CORNISH, HOST:
From NPR News, this is ALL THINGS CONSIDERED. I'm Audie Cornish.
MELISSA BLOCK, HOST:
And I'm Melissa Block.
A security flaw in one of the most popular encryption programs on the Web is raising alarms. The so-called Heartbleed bug first made news on Monday. Online attacks that take advantage of the bug could expose all kinds of sensitive information and it would be difficult, if not impossible, to detect.
So we asked NPR's technology correspondent Steve Henn what, if anything, users can do to protect themselves.
STEVE HENN, BYLINE: If you bank or shop online, if you use Yahoo or Gmail or sign into work remotely using a virtual private network, your communications may have been compromised.
ANDY GRANT: It's definitely catastrophic.
HENN: Andy Grant is a security analyst at iSEC Partners.
GRANT: I would have to classify it as possibly the top bug to hit the Internet that I've encountered - because of it being so widespread, because it's so hard to detect. It leaves zero trace.
HENN: The Heartbleed bug isn't a virus or a malicious attack. It's basically a programming mistake in a popular, free encryption service - which no one noticed for more than two years. And this mistake made it possible to trick a device or website into handing over private encryption keys. So you know that little padlock you see on your Web browser when you visit a secure website? This bug made it possible to pick that lock. So just how can consumers protect themselves?
AARON GRATTAFIORI: I've definitely stayed off of the Internet as much as I can.
HENN: Aaron Grattafiori is also at iSEC Partners. And unfortunately, he's not joking. Before consumers can do anything to protect themselves, the vulnerable sites they depend on have to be fixed; the locks on those websites have to be swapped out. After that happens, it probably makes sense for you to change your passwords on your most important accounts, for things like email or online banking.
We're posting links on npr.org so you can see for yourself what websites are safe now, which ones may have been vulnerable in the past, and which of your devices or apps could be vulnerable, too. Unfortunately, it turns out it's not just websites that are affected. Millions of android phones are vulnerable as well.
Steve Henn, NPR News, Silicon Valley. Transcript provided by NPR, Copyright NPR.