The Heartbleed bug has made headlines all around the world after it was discovered that potentially two thirds of the internet was vulnerable. The erroneous code has exposed encryption keys to would-be hackers, meaning most of our sensitive data is easily stolen. We look at what this means for the future.
On Monday April 7th an urgent warning was released by the OpenSSL project detailing an extremely dangerous bug called Heartbleed. News of the vulnerability spread like wildfire, as it potentially affected the encryption software used by up to two thirds of servers on the internet, with serious implications for user data security. Large sites such as Yahoo, Flickr, DuckDuckGo, Eventbrite, and imgur were revealed to be at risk, while countless smaller portals, alongside email and instant messaging services, had also been exposed by the problematic code.
The worst part was that the vulnerability had actually been active for nearly two years, and there was no way of knowing if anyone had used the exploit due to it leaving no trace.
As reports of the bug proliferated across the web and spilled into mainstream media, users were confused by exhortations from some to immediately change their passwords, while others warned that unless the site in question had fixed the problem first, any new passwords would be just as vulnerable.
Security researcher Ivan Ristic worked through the night to produce a simple webpage where concerned users could test to see if a particular site had been compromised, while Mashable contacted the major social media and email providers to see if they had been affected by Heartbleed. Facebook, Google, Instagram, Tumblr and Pinterest revealed that they had applied fixing patches before news broke publically, but had not found any signs of data being stolen.
The general advice though was that users should change their passwords on these sites just to be sure. Tumblr even posted a message on its blog encouraging exactly that. "This might be a good day to call in sick and take some time to change your passwords everywhere" the blog stated, "especially your high-security services like email, file storage, and banking, which may have been compromised by this bug".
The Canadian government even took the extraordinary step of taking its e-filing tax service offline during one of the busiest times of the year in response to the Heartbleed problem.
"As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold", the Canada Revenue Agency said in a statement.
So what exactly is Heartbleed, and how can it be so widespread? The main problem with the bug is that it was contained in the OpenSSL cryptographic software library, which is the most popular form of security protocols used on the web. This meant the very code that was implemented to ensure communications remained secure and private, could actually be the biggest threat to these goals.
Sign up for Computerworld eNewsletters.