Q&A: What is Heartbleed and should I change my password?

Two-year-old security hole in encryption system causing heartache for web users

What is Heartbleed?
A major threat to the web; catastrophic; the worst thing to happen to the internet. The level of rhetoric depends on what you read, but one thing is clear: Heartbleed is bad news. Very bad news.

To get technical, it’s a two-year-old security hole in the encryption system used by many sites on the internet. OpenSSL is used to encrypt web traffic, usually denoted by the small closed padlock you see in your browser’s address bar that indicates your connection is secure. However, Heartbleed allows users to access that encrypted information.

The protocol is designed to confirm a secure connection between a user’s computer and a web server by sending a small piece of data (up to 64 kilobytes) from one side along with a number indicating how much data has been sent; the other side then sends back the same piece of data.

However, the replying side only looks at the stated size of the data rather than its actual size and always sends back the amount of data requested; if the stated amount is more than was actually supplied, the replying side will send additional information from the computer’s memory system

READ MORE

"Basically, an attacker can grab 64K of memory from a server," security expert Bruce Schneier wrote on his blog, Schneier on Security. "The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory – SSL private keys, user keys, anything – is vulnerable.

“And you have to assume that it is all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of one to 10, this is an 11.”

The flaw may be two years' old but was only recently made public by researchers at Google and security firm Codenomicon, prompting an understandable panic among web users.

Codenomicon built a website to provide information on the security hole, which gave some worrying information. “We have tested some of our own services from the attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” Codenomicon said.

Essentially, attackers could exploit the flaw, swipe data and leave no trace that they were ever there.


What data is at risk?
Any data that has been sent over a previously presumed secure connection could have been compromised. That includes everything from passwords and encryption keys to banking details, credit card numbers and other sensitive information.


Who is affected?
It's essentially a problem with the software on servers that host websites, meaning there is very little that web users can do, other than change passwords.

About 60 per cent of the sites on the internet use Open SSL. That’s a lot of websites that could be vulnerable – experts estimate about half a million – and the majority are now working to patch their systems.

It's not just small players that were caught out by this. The list of web services that were affected makes for uncomfortable reading. Some of the bigger sites include Yahoo, Tumblr, Flickr, Amazon Web Services and Dropbox.

Google was also affected, but the company confirmed this week it had patched key services such as Gmail, Search, YouTube, Wallet, Play, Apps and App Engine. Other Google services are in the process of being patched. Google Chrome and Chrome OS were not affected, and Android – with the exception of version 4.1.1 – also escaped.

Even government agencies have been caught short. Canada’s tax system was shut down this week and, in the US, the flaw worried the Department of Homeland Security enough to advise businesses to take a close look at their servers to ensure they weren’t affected.

UPDATE: Cisco Systems and Juniper Networks have said that some of their networking equipment - routers, firewalls, switches - are susceptible to the encryption bug. Cisco will customers when software patches for its affected products are available, while Juniper said it issued a patch earlier this week for its most vulnerable products that feature virtual private network technology, which allow users to connect remotely to corporate networks.


How do I know what sites are affected?
There are a number of websites listing the affected domains, but rather than scrolling through pages of sites to try to pick out one, there are tools online that will scan a web address of your choice to see if it's still vulnerable.

Try the tool developed by Filippo Valsorda (http://filippo.io/Heartbleed/) or Heartbleed Checker by lastPass.com (https://lastpass.com/heartbleed/)


What should I do?
Don't panic. The most basic advice is to change your passwords for any affected sites, and also for sites where you reuse the same log in details – a frowned upon habit, but one many of us are guilty of.

However, don’t rush to change everything just yet. If a site hasn’t applied the fix, you’ll have to change your password again when it does, as any login details would be at risk until the vulnerability has been patched. Avoid using sites that haven’t been fixed for the next few days.

According to Google, it discovered and patched the flaw early, so users have no need to change their passwords. But if you want to be on the safe side, it may be worth changing them anyway.

It’s a good idea to change passwords on a regular basis in any case, so try to get into the habit of doing so. Also, tempting as it might be, don’t re-use passwords across multiple sites – if one site is compromised you will put yourself at risk.

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist

Dan Griffin

Dan Griffin

Dan Griffin is an Irish Times journalist