A new bug has been revealed in the OpenSSL security code which is responsible for keeping personal details safe on the internet.
Ever seen ‘https://’ at the start of your web address (URL)? That means you were using an OpenSSL secure site – and now it means you may be vulnerable to attack online.
The bug dubbed “Heartbleed” is able to pull a 64 kilobyte chunk of memory from any server running SSL and experts say as many as two out of three servers on the web may be compromised. The bug would allow attackers to gain data such as passwords and usernames as well as eavesdrop on traffic to and from servers.
And it gets worse – the bug not only affects https://, your emails are also at risk if the server supports encrypted connections.
While Yahoo was one of the worst-affected, with millions of user credentials left exposed, Apple, Google and Microsoft appear to be mostly unaffected.
Worryingly, this bug has existed for two years but has only just been discovered.
Quick facts from our resident it expert ben:
Am I vulnerable?
Yes. Everyone is. As OpenSSL is the most commonly-used system for online security – if you use the internet, you will have used OpenSSL, and your data may be compromised.
Should I go “off the grid”?
There is no reason to sell up and move to a cave – and even if you do, it won’t provide you with complete protection. Data that has been collected by unscrupulous individuals in the past now leaves you vulnerable to attack.
Well then, what can I do?
Not much – most of the IT community are already doing it for you. The simplest and safest response is to stop engaging in sensitive activities on the internet until the coast is clear. Surf away, but always keep in the back of your mind that logging in to something means what you say or do may be vulnerable. For the risk-averse or conspiracy theorists the best solution is just to not log in to anything.
Can’t I just change my passwords?
Unfortunately, it’s not that simple. Yes, it may be best to change your passwords now. If your passwords have been stolen previously, they can now be decrypted. But it is also possible that changing your password will make you more vulnerable – if the service provider (i.e. anyone you transact with online) has been compromised and hasn’t fixed the problem at their end, every internet-villain out there now knows how to exploit the bug and will have access to your password change. So check with the provider that they are safe, then change your passwords again. For a list of common services affected and advice on password changes see http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
In addition, your passwords should be different across all services you use – if they are all the same, only one service has to be compromised to open everything to attack.
But I cannot live another moment without Facebook!
Don’t worry – Facebook has announced that it has purged the threat from its site and is now encouraging users to change their passwords to ensure continued security. It’s safe to social network again!