You’ve probably been hearing about it. There’s a bug…a security hole on the internet in the secure socket layer called “Heartbleed.” You may not understand some of the words I just typed. You may not think it matters, but this one matters. This one matters very much indeed. Read on and I’ll tell you why:
What is SSL?
You might not know what SSL is or means (it is the “Secure Socket Layer” ) but you’ve probably seen it a thousand times. When you go to a website to buy something, or when you log on to view your bank account information, sitting there in the upper left hand corner of the address bar, you see a little icon of a padlock. That’s the visible manifestation of the secure socket layer, and it’s an important symbol, because it means that your data is protected on the page where that symbol is displayed. That nobody can see what’s on that page, or get to your password and/or credit card information.
Or at least, that’s what that symbol was supposed to have meant.
It turns out though, that the secure socket layer really wasn’t all that secure. Some very smart people found a flaw in the code that would allow hackers to tunnel past the security that the little lock icon represents and get to your sensitive information after all. The flaw was in the “heartbeat” (thus the name of the bug).
So what’s the heartbeat?
Well, in simple terms, the software has to send out a “pulse” or “heartbeat” periodically to let the other parts of the system know that the connection is still there and still valid, and in that heartbeat lives the vulnerability.
The good news is that there’s already a fix for the bug, and that fix is being rolled out as we speak. Even better, there’s more than one layer of protection that companies can use if they want to add extra protection to their sites. (They can utilize something called “Perfect Forward Secrecy”).
The bad news? This bug has been out there, undetected for more than two years. In an era where computers go from bleeding edge to obsolete in less than 18 months, that might as well be forever. Even worse, if someone has been “listening in” on web traffic, recording where you go and what you do (think NSA), then they could utilize the data gleaned from this bug to cull that stored data for information too.
What You Should Do?
By the time you read this, the major players on the internet will be well on their way to implementing a fix to close the security loophole. Nonetheless, your first move should be to reset all your passwords. All of them. Everywhere, because we don’t know which sites were ultimately impacted.
Your second move should be to test the sites you visit for vulnerability. Note that you don’t need to test them all, but do test the ones that require you to enter passwords, or that you’ve entered payment information into in the past.
Test the sites you visit here: http://filippo.io/Heartbleed/
For full information on the bug, visit: http://heartbleed.com/