The little padlock icon (that precedes ‘https,’) we presumed was safeguarding all our information on the site might not be safe after all. In what was a shocking revelation; a team of Finnish security experts and Google discovered a major security flaw in websites that use the Open SSL technology. The bug was first discovered on Monday, and by Tuesday technology giants like Yahoo, Google, Facebook and Amazon were already fixing the problem or had fixed it.
Though the implications of the Heart Bleed bug are still unknown, researchers say that the vulnerability can give hackers access to more than a million websites on the internet. With sensitive information like passwords, bank details, social security numbers, stored files, etc. at stake, it is difficult to judge the extent of damage (if any, ) as the flaw went undetected for more than 2 years.
The bug works by creating an opening in the SSL/TLS which is the encryption technology that has a closed padlock on the HTTP. Using the bug, hackers could easily snoop on the internet and users would never know that their information was compromised as the padlock would continue to show that the site was secure. Hackers could also get keys for deciphering encrypted data and the site owner would never know. It is because of this indiscernible nature the bug went unnoticed for more than two years.
The Finnish security experts from Codenomicon and Neel Mehta of Google security discovered the bug in what researchers call the heartbeat. The ‘heart beat’ is where encrypted messages ping back and forth between consumer devices and websites. Since the flaw was in the ‘heartbeat,’ they called the bug a HeartBleed.
One of the best ways to secure your information would be to immediately change all the passwords to your accounts. Security experts advise users to first confirm whether sites have integrated the necessary security patches to overcome this flaw and then change the passwords. Tumblr was the first to reach out to its users saying they have fixed the flaw. Other websites have followed suit. Experts also warn users on using the same password on multiple sites or the same password and username on multiple sites.
All these events just go on to reinforce the fact that we have to be extra-careful in the virtual world too. Web companies have been talking about improving security practices such as Perfect Forward Secrecy (PFS) but how many of them have actually implemented the same is yet to be seen.