Security research discovers a bug in the encryption technology used by two-thirds of the Web
"Heartbleed" could put people's personal passwords, e-mails and financial information at risk
Addressing the bug will require work by individual sites and the customers who use them
A major online security vulnerability dubbed “Heartbleed” could put your personal information at risk, including passwords, credit card information and e-mails.
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes.
Cybercriminals could exploit the bug to access visitors’ personal data as well as a site’s cryptographic keys, which can be used to impersonate that site and collect even more information.
It was discovered by a Google researcher and an independent Finnish security firm called Codenomicon. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon.
Heartbleed is the result of a small coding error but it could have far-reaching consequences and affect the majority of Internet users.
Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.
What makes the bug particularly problematic is that there is no simple fix. Action needs to be taken by both the compromised sites and individuals who have visited them.
To protect their user data and encryption keys, sites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates and get new ones issued.
Many major websites including Google, Facebook, Yahoo and Amazon have said they’ve taken steps to secure their sites. Security researchers demonstrated the flaw by stealing Yahoo e-mail logins on Tuesday morning, but Yahoo has since fixed the issue across its major sites, including Tumblr.
It’s not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don’t typically publicize whether they’re using OpenSSL, so the process will also be bumpy for consumers.
Individuals should update their passwords across the various Web pages they use, but only once they have confirmed a site has already taken the proper measures to address Heartbleed. If they don’t and that site is still at risk, the new password could also be compromised. Many sites will also likely send e-mails instructing customers to update passwords if necessary.