On Tuesday, April 8th, experts announced that they have discovered a new online security vulnerability they are calling the ‘Heartbleed’ bug.  Heartbleed is a very serious coding flaw within OpenSSL, an open source software library used in servers, operating systems, email, and instant messaging systems to protect confidential information as it travels through the internet.  While it seems the bug has been in OpenSSL for 2+ years (OpenSSL versions 1.0.1 through 1.0.1f), it was only recently discovered by a security company, Codenomicon, and a researcher from google, Neel Mehta.

Millions of websites, including banks, credit card companies, e-mail providers, and social media services use OpenSSL as a method to secure data transmission. OpenSSL works, in part, by allowing one of the computers involved in the data exchange to ping a message – known as a heartbeat – to another computer, to check if it is still online, and then receives a message in return.  The Heartbleed bug earned it’s name because, with this hole in the coding, it is possible to send a specially-crafted, malicious heartbeat message to the second computer to trick it into giving up sensitive information. This means it could potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. In theory, this data can be used as a skeleton key to bypass secure servers, without leaving a single trace.

After Heartbleed’s reveal, OpenSSL released an emergency patch to fix the flaw. Most major service providers immediately updated their SSL to include the fix, or are in the process of doing so. While the Heartbleed bug is certainly a critical flaw in the coding of OpenSSL, this does not necessarily mean your information has been stolen. However, since it has been around for 2+ years, it may mean that it’s been vulnerable to theft, and may remain vulnerable until a fix is applied.  Unfortunately, there’s nothing users can do to protect themselves if they visit a vulnerable website. Nevertheless, individuals should update their passwords across the various web pages they use, once they have confirmed a site has already taken the proper measures to address the Heartbleed bug.

To check if a site is protected from, or vulnerable to, the Heartbleed bug, use the following links to run it through a test:

  1. https://lastpass.com/heartbleed/
  2. https://www.ssllabs.com/ssltest/