One of the biggest stories making rounds from the past few days is the discovery of the Heartbleed bug. This bug was discovered by a Finnish security firm called Codenomicon and an independent Google researcher, who came to know that one of the most widely used online security protocols was not as safe as it was thought to be. As a result, it is possible that millions of bank transactions, credit card numbers, passwords and other supposedly secure information could have been accessed by hackers. This flaw in online security has been undetected since more than 2 years, and it is unknown whether hackers have found out about it. Here’s more about the Heartbleed bug, who’s affected and what you can do about it.
What exactly is the Heartbleed bug?
When you logon to a certain website for say, online transactions, you’d notice a little closed lock next to the address bar with “https:” instead of the usual “http:”, denoting a safe and secure environment. This security is provided by an encryption protocol called SSL/TLS, more specifically by OpenSSL, in most websites. Now, because of this bug, it turns out that upto 64 kilobytes of data can be accessed every ‘heartbeat’ (a periodic signal used to synchronize client and server interaction), and this flaw allows attackers to send back false server responses and basically harvest data. So basically, all of that encryption is not much use when it can be decrypted by using the now accessible private master key. Furthermore, any unencrypted data also leaks out, thus the name, ‘Heartbleed’.
Who is affected?
The most commonly used versions of OpenSSL, OpenSSL 1.0.1 until Open SSL 1.0.1f are vulnerable. It was fixed in OpenSSL 1.0.1g.
From a consumer point of view, any website that uses the vulnerable versions of OpenSSL are open to attack, and these websites can only protect themselves and their users by upgrading to the latest version that squashes the bug. However, in the two years that the flaw went undetected, tons of data has already gone back and forth, and there’s no saying how much of it has been compromised. Unfortunately, there’s no way to even know if a user has been exploited using this bug.
What can you do about it?
As of now, your best bet is to change all your credit card passwords and any other secure information on the internet. The fix is mostly from the service provider side, but this is a way of keeping yourself safe. If you’re really concerned, abstaining from online transactions and such for the next two weeks or so is perhaps a good idea. Until then, stay safe, stay alert!