You might not want to log into your online banking account today. A major bug in online security software has been discovered, which could put all of your personal information at risk, including passwords, banking information and emails. The Heartbleed bug is a huge flaw in OpenSSL, an open-source encryption technology that is supposed to protect your data.
The software is behind many HTTPS websites (for example, online banking sites) and you can recognize it by that little padlock in the address bar at the top of your screen. It is the most popular encryption software out there, used by Google, Facebook, Amazon and pretty much every other site you might be thinking about using today.
Basically the way it works is this: If you are working on a website with a secure connection, then it follows that there is another computer or device at the other end of the connection. This could be your bank or the work server you've logged into remotely. Through OpenSSL the information flowing back and forth between you and the other computer is encrypted in such a way that only the two of you are able to decipher it.
Every now and again, one of the computers will want to check in that the other computer is still on the other end of the connection. It does this by sending a "heartbeat" — a small packet of data that asks the other computer to ping back and let it know it's still there.
However, researchers have discovered there's a flaw in this excellently-laid plan. It is possible to send a packet of data that looks almost identical to a heartbeat which forces the other end to send back a big package of data — up to 64 kb — that has been stored in its short-term memory. This is likely to be stuff like the password you just entered, or your credit card number you just inputted to buy those concert tickets.
So, that was the bad news. Now for the really bad news. This is not a new bug. That means anything that you've sent over a secure network in the past TWO YEARS could potentially have been compromised. And there's basically no way of knowing how widespread the exploitation is.
The vulnerability in OpenSSL was discovered by researchers with Google Inc and a small security firm called Codenomicon. The team at Codenomicon has set up a dedicated website where you can find out more information about the Heartbleed bug. It makes for some pretty scary reading:
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
You can also use this website to check out whether different websites are vulnerable. If you discover that a website is vulnerable to attack then you are advised not to log into it until the company confirms it has updated its SSL software.
Also, despite what you may be reading on Twitter and in the blogosphere, the advice is not to change all of your passwords — at least, not yet. Instead, you should wait for confirmation that sites have been secured, otherwise any further activity on affected sites will only make the problem worse.
The best advice is just to stay off super-sensitive websites (such as online banks) until it has been confirmed that they are safe to use. And go through your financial statements with a fine-toothed comb.