*WARNING* We're interrupting your normal health programming to bring you this warning about a bug that's currently taking the Internet by storm. Please stay tuned for important information regarding the health of your private data. *WARNING*
What Is the Heartbleed Bug?
It's rare that a computer virus or bug is important enough to warrant the kind of attention the Heartbleed bug is currently getting. By all accounts, this one's a nasty one and is well-deserving of the press it's getting. According to most sources, Heartbleed is as bad as an Internet security flaw can get and can result in the loss of personal data, including user names, passwords and credit card information.
Heartbleed is a flaw in the Secure Socket Layer (SSL) encryption software that's in place to protect your data. I heard one computer expert compare the flaw to hiring a group of armed guards to protect an armored car and having them all fall asleep at once. Those with the knowledge needed to expose your data through Heartbleed have free reign to capture anything and everything you transmit.
SSL encryption is supposed to encrypt and protect sensitive data as it travels across the Internet, but this flaw all but eliminates that layer of protection.
Here's how Heartbleed works:
- When you visit a website secured by SSL your Internet browser asks the website to send information that allows your browser to identify it.
- The website sends identifying information to your browser, which includes an SSL certificate and a public decryption key.
- Your browser compares the certificate to a list of trusted certificates to make sure the website is who it's claiming to be. If the browser finds the certificate on the trusted list, it creates what's known as a session key and sends it back to the server.
- An encrypted session is initiated between your browser and the website you're connected to. All data sent back and forth between your site and the website is encrypted with the session key and theoretically should be private.
Heartbleed leaves a hole in the SSL session and opens encrypted information up to prying eyes. Hackers are able to access the encryption keys and can use them to decipher encrypted data. OpenSSL is the only version of SSL that's affected by the bug, but it just so happens OpenSSL is the most prevalent variety of SSL used on the Internet.
Which Sites Are Vulnerable?
Any site that uses OpenSSL is vulnerable to the bug. Some of the biggest sites across the Internet were reportedly affected, including Yahoo, Imgur, Flickr, OKCupid, Squidoo and many more. Mashable.com has a list of some of the bigger sites that are affected. Additionally, you can use the following link to check and see if a site is vulnerable before you transmit your personal data:
What Can You Do?
There isn't a lot you can do from your end, other than avoiding sites that have the vulnerability until it has been patched. Most of the bigger companies have patched it already, so you should log in and change your password as soon as possible. That won't protect your data if it's already been compromised, but there's no indication that hackers knew about this bug or were exploiting it prior to it being announced earlier this week.