The Heart Bleed bug is being billed as one of the most serious computer exploits of modern times, and with good reason. The Heart Bleed bug is a vulnerability in a computer program called OpenSSL - this program is used by millions of companies around the world, and for at least two years it has had a fatal and astonishingly simple flaw in its security.
What is OpenSSL?
OpenSSL is a piece of software that is used to keep communication between a website and the person who is using it secure. It is used to encrypt everything from your username and password to your bank details. In theory, if someone were to try to “snoop” on your communication with a web server, all they would get back would be gibberish - encrypted data that they cannot understand.
What is Heart Bleed?
Heart Bleed is the name given to a vulnerability in OpenSSL. This vulnerability means that a malicious computer user can send a fake request to a server. The request that they send is a simple request to check if the server is available and ready to respond to communications. The attacker sends a slightly malformed piece of data with the request, and that data fools the server into responding with some unencrypted information that it has stored in memory. That information could include anything. If you’re lucky, all the server is giving away is login details for a forum, but it’s just as likely to be bank details or other personal data. OpenSSL is used by everything from small hobby websites to the biggest businesses in the world.
What Can Users Do About Heart Bleed?
Because the Heart Bleed bug affects so many high profile websites, it has received a lot of media attention and it has been fixed quite quickly. There has even been a new project launched called LibreSSL, which aims to fix the problems with Open SSL. However, as a website user you do not really have the power or opportunity to change the software that a web server runs.
As an end user, all you can do is follow best practices when you use the web. Change all of your website passwords - including your mail, social media, forum, shopping and banking passwords. Do not re-use passwords across multiple sites. Password re-use is a common problem, and it is something that hackers love. A lot of people use the same passwords for forums and games (which often have poor security) as they do for banking, shopping and government websites. This is a bad thing because it means that if someone acquires your forum login details they can test those details against more valuable websites, and could gain access to an account that they could spend money with or use for the purposes of identity theft.
Most website owners have taken measures to update their OpenSSL installations, it is then up to you to reset your passwords and to follow security best practices.