The news: Security researchers have identified a very, very serious security hole in one of the fundamental technologies protecting personal data all across the Internet. OpenSSL, the cryptographic software library that an estimated two-thirds of web servers worldwide use to connect with end users and guard against digital eavesdropping, has been vulnerable to hackers for as long as two years. It may be the biggest security breach in the history of the Internet.
In a blog post published Monday, the OpenSSL researchers dubbed the critical flaw "Heartbleed," admitted that the glitch allows for easy, untraceable breaches of secure systems, and announced the release of an immediate fix. Originally discovered by Google researcher Neel Mehta, what went wrong with OpenSSL is now a massive problem with the potential to affect the majority of secure servers on the Internet controlling everything from banking to retail to email. Here's how the OpenSSL team described the bug:
Bugs in single software or library come and go and are fixed by new versions. However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.
What's at risk? It's not theoretical. The research team provided evidence that with awareness of the bug, they were able to breach Yahoo security and steal email logins and passwords without leaving a trace. They wrote:
We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
Anyone who noticed and exploited the bug since it was introduced on March 14, 2012 could have easy access to an incomprehensible number of secure systems. And as TechCrunch notes, even encrypted data illegally stolen from servers could eventually be forced open either with more stolen data or other methods, depending on server configuration. Redditors with awareness of the bug claim to have been able to identify vulnerabilities in sites ranging from Yahoo mail to their banks.
What should you do? Until everyone updates their servers, widespread knowledge of the bug could mean open season for hackers. A Tor Project blog post ominously said that "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." Tumblr advises that you change all of your passwords immediately, including for their own service:
Fortunately, according to The Verge, Google, Apple, and Microsoft are all unaffected, as well as most major e-banking services. This site allows website operators and end-users to check whether a critical service was rendered wide-open by the bug.
Even more troubling, there's nothing end-users can do to know whether or not they've been compromised. Heartbleed is another reminder that much of what we call "security" on the web is chillingly fragile.