A major security flaw called Heartbleed was discovered today by security researchers. OpenSSL, the open-source encryption software library, has a massive bug that affects a majority of the web. The bug allows hackers to uncover personal information without being detected.
It’s a complex security issue but I’ll try to keep it as simple as possible. Heartbleed is going to be an ongoing issue and you should take precautions to protect yourself.
What is OpenSSL?
OpenSSL is an open-source cryptographic library that helps secure web traffic. It protects information like usernames, passwords, and other information from being eavesdropped by hackers.
By using OpenSSL, users can be certain that they are contacting the site they intend to and that information exchanged with the site is secure.
What is the Heartbleed bug?
Heartbleed is the code name for the bug that was discovered in OpenSSL. The bug has been around for over two years but wasn’t discovered until now.
The vulnerability compromises the secret keys OpenSSL exchanges with users to encrypt traffic. If a hacker is eavesdropping on a compromised connection, usernames and passwords will allow them to impersonate you.
The scariest part is that Heartbleed doesn’t let sites and services know if they are compromised or have been compromised in the past. This means your information could have been stolen but you would never know.
Which websites and services are affected?
Over 66% of the web uses OpenSSL so tons of sites are affected. Yahoo!, Imgur, and OkCupid are just a few major sites that are affected. There’s a master list of affected sites at GitHub if you want to check which sites you visit are vulnerable.
Many sites have begun patching their the bug but it may be too late. The bug has been around for two years and your information may already be exposed.
What can I do to protect myself?
Not much, unfortunately. Since OpenSSL is implemented by websites and services, it’s up to them to patch the bug.
If you can, avoid going to the sites that are listed on Github’s master list. Changing your passwords on those sites won’t help until they’ve fixed the bug. Wait until the site has patched Heartbleed before changing your password.
If a site isn’t listed, you can change your password anyway just to be safe.
All you can do now is wait for sites to patch the bug. It’s a good time to check any suspicious activity on your accounts as well.
Always enable two-factor authentication when possible and use unique passwords for each site and service you sign up for. Password lockers like 1Password and LastPass are great options to generate and keep track of all your passwords.