The Heartbleed Bug – How Safe Is Your Data on the Web?
The day the internet exploded (or at least got caught with its pants down). Learn about the loophole that can reveal your personal information to hackers!
Today a major web vulnerability was made public via heartbleed.com. This vulnerability affects many versions of OpenSSL, which stands for Secure Socket Layer. It’s what encrypts your data as it travels across the internet.
Any time you visit a secure website (which you’ll know because the site address starts with) your data is supposed to be safe. Without getting into the nitty gritty of code and tech jargon, here’s how this attack works: When you visit a website, the website responds back with information. The vulnerability that was found allows an attacker to request more data than normally allowed.
This means that an attacker can access a random small portion of the server’s memory at the moment a request was made that it normally would not have access to.
Say I wanted to buy something from site A (which uses SSL). When I log onto the website and submit my credit card information, the server that processes my data has to momentarily hold that information in its memory. If an attacker were to request information the moment you clicked “Buy,” there’s a chance he might be able to see that information, in plain text – completely unencrypted! Completely out in the open! What’s worse is that this affects older versions of OpenSSL that have been in the wild for two years!
This would be like when someone reads you a phone number, each number is in your head for a split second as you write it down. If someone could read your mind the moment the phone number was in your head, they’d be able to know each digit of the number. However, the moment the number reaches paper, your data would be safe again.
So how safe are we? Well I’m personally not buying anything online today.
I want to stress that attackers can only have a small peek at the data going to the server, specifically a 64byte peek. That means there’s a very slim chance any of your information could be gleaned. However, if you were unlucky enough, an attacker could get the 64byte chunk of memory that contains your username and password, or your credit card information!
This affects very specific versions of OpenSSL (versions 1.01-1.01e), and may already be fixed in many large websites. However over 66% of the web was vulnerable as of this morning!
So what can you do about this? Well unfortunately not a whole lot. You can monitor blogs and websites you’d like to use and see if there’s been any update. With such a large security hole though, you can be assured this won’t last long.
Have you been affected by the bug? Let us know in comments or tweet us @QDTtechtalker.
Security alert image courtesy of Shutterstock.
You May Also Like…
About the Author
Tech Talker demystifies technology and cutting edge devices so that even the most tech illiterate can understand what’s going on with their computer or gadget — and what to do when something goes wrong.
