Just How Serious IS Heartbleed? You Probably Don’t Want To Know.
By now, you've probably heard the news - a security flaw has been discovered in the OpenSSL Software Library; a devastating data leak which has been given the rather intimidating name "Heartbleed." Many websites have already reported on the bug since its discovery, and though most major websites have since patched it out of their code, it yet remains one of the most severe security flaws discovered online in the past decade - perhaps even in history.
First, allow me to explain exactly what Heartbleed is - and what the name of the glitch derives from. In SSL, there's a functionality known as a heartbeat. How this works is that when a client system communicates with a server, it requests that the number of bytes of data it sent be echoed back. Seems like a simple way of verifying connectivity between two systems, right?
Where the Heartbleed exploit comes into play is that until recently, it allowed the client to specify how much data it sent without verification. User input was trusted blindly, meaning that a client could request that the server send back more data than it actually received. In such a situation, the server would send back a collection of 'random' data, which was virtually guaranteed to be data the server used or accessed previously.
It gets worse. See, OpenSSL is used to secure virtually everything in websites that use it. Usernames and passwords, private and confidential information, financial details, and even authentication keys(which would allow a hacker to completely compromise a server) are all fair game. Using Heartbleed, it's entirely possible for a cyber-criminal to gain access to every byte of data stored on a server, all without the host even knowing.
This flaw has been in the wild for two years now, even though it was just discovered this month. When a hacker uses it, they leave no trace and can continue repeatedly siphoning data for as long as they please. We've no idea how far-reaching the exploit is at this point, but one can't help but wonder how many of the data breaches we've encountered since 2010 have been a result - direct or indirect - of Heartbleed.
Considering that somewhere around 66% of websites use OpenSSL, it's difficult to say.
It wasn't just social networks or game sites using OpenSSL either. Where I live, the Canada Revenue Agency - the organization responsible for managing the information of every citizen living in Canada - made use of the software, and has currently shut down its website. I want you all to understand the severity of this - the CRA has our banking information, our names, our ages, our addresses. They have our Social Insurance Numbers.
Basically, they have everything a thief would need to steal someone's identity.
Assuming there was some group of criminals aware of the exploit - and you'd be foolish to think there weren't at least a few who knew about it and used it with impunity - that means that anyone in Canada who has ever filed a tax return is at risk.
That's ultimately the most devastating thing about Heartbleed. The likelihood that a massive volume of crucial, private data has been leaked as a result of the exploit is near one hundred percent. Even fixing the exploit at this point won't change that. Somewhere, someone has access to encryption keys, user passwords, confidential documents, and more. There's no changing that.
And until we know the full scope of the information that's been leaked, there's no way to fix it - or even any guarantee that we can.
So How Can You Protect Yourself?
There are a few things you can do to mitigate the damage caused by Heartbleed. The first is to simply change your passwords - and yes, I do mean ALL of them. Any website you've ever used might have been hit with Heartbleed - meaning there's a chance that every password you've ever entered is compromised.
That said, it might be worthwhile to wait for a bit before changing your user details on smaller, lesser-known sites: there are plenty of unscrupulous webmasters who don't care enough to update their servers with any sort of agility. Changing your password on one such site is fairly pointless.
Additionally, it couldn't hurt to set up some form of extra authentication on any accounts you want to see protected. Most websites feature some form of mobile authentication, which sends a code to your phone whenever you change your password or log in from an unfamiliar device. I use it on most sites I frequent.
Aside from that...just keep your fingers crossed, and hope that your data wasn't among that which was compromised.