The Non-Geek's Guide to Heartbleed, the Terrifying Web Security Breach
Today, Bloomberg cited two anonymous sources to report that the National Security Agency has been using "Heartbleed" to "gather critical intelligence" from protected internet traffic. The NSA is denying that report. Okay. But what is Heartbleed, exactly?
Despite what it sounds like, it's not a Florida hardcore band. Heartbleed is a terrifying security breach in one of the internet's foundational technologies, and it's been giving hackers—and, according to Bloomberg, the NSA—an opening for over a year. Here is what non-techies need to know:
What is "Heartbleed," exactly?
Heartbleed is the name given to a flaw in a widely used security script called OpenSSL. That little lock icon you might see in your URL bar when you visit about a variety of fine internet media/content/social media/porn properties? The "s" in "https://"? That's SSL, or secure sockets layer, a security protocol used to protect transmissions on the internet.
The little lock icon, and the "s," serve a simple function. They indicate that, thanks to SSL, the data you exchange with that website—which includes passwords, credit card information, etc.—is encrypted.
But it turns out that in many cases the little lock icon has been lying to you.
Heartbleed is a backdoor in OpenSSL, one of the most widespread implementations of SSL. Put over-simply, Heartbleed could allow a hacker or a government official or your next-door neighbor to ping the website you visited—in what's called a "heartbeat"—and pull your data from it. This bad actor could then reconstitute passwords and other sensitive information from the data.
How does it work, exactly?
Gizmodo has a more in-depth explanation here, but in a nutshell: Heartbleed allows a hacker to lie to a server about how much data it's sending in a ping. The overly trusting server will then send too much data back to the hacker—including data that it's supposed to keep private.
When you say "widely-used," do you mean every website on the internet?
Not every website. Amazon, for example, was not affected, nor were most banks. But Google, Facebook, Tumblr, Dropbox, and countless others were—even some routers. So the situation is something like Defcon Level Godfuckingdamnit, but not quite Fuck Everything just yet.
This sounds like something the NSA and other intelligence agencies could exploit.
Well: Today Bloomberg reports that
[t]he U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA initially declined official comment. UPDATE: Through its Twitter account, the NSA is denying Bloomberg's report:
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
Wait, are Gawker Media websites vulnerable to Heartbleed?
Gawker Media sites have been patched: "We offload SSL to both a third party service (our CDN, Fastly) and to a vendor's network appliance (a citrix netscaler)," our Director of Tech Operations Jim Bartus says. "The former was patched quickly (link), the latter was immune." As for Kinja accounts, VP Engineering Peter Hausel writes "we send only the username and a short-lived token over HTTPS, so our users (including burners) should not be affected."
Has it always been this way? Have I been handing out the keys to my personal online castle for years on end?
No, only possibly for the last year or two. The flaw in the code—the "bug"—was apparently added to the code in late 2011. That version of OpenSSL was made available to the public in March 2012. Any website that updated to that version of OpenSSL was affected, but since they may have updated sometime after the release it's hard to say how long your data has been vulnerable, and it depends on which website.
Should I change all of my passwords immediately?
Yes, on affected websites, but you should wait until those places have upgraded to the latest version of OpenSSL. If they haven't, your new password could be as vulnerable to Heartbleed as your old one. Gizmodo's been keeping a list, and they also recommend this Mashable list which I also like.
How can I find out if my information has already been hacked?
You likely can't. One reason why the Heartbleed vulnerability is so frightening is that the hacker can gather your information and leave little to no trace behind.
That leaves me feeling as though I have no control over this situation.
We have control over precious little in this life.
Is there someone I can blame nonetheless?
There is a German software developer who is taking responsibility for introducing the bug. He bears the inauspicious name of "Dr. Robin Seggelmann." Some people early on were suggesting he possibly introduced the flaw in the code maliciously, which he denies.
By some people, you mean, "Reddit"?
Sure. That said they are not the only ones feeling paranoid about the bug.
How can I stop feeling frustrated that the digital underpinnings of modern existence make me so vulnerable to invasions of privacy?
There is, always, the option of going off the grid. Otherwise, a combination of Zen Buddhism and a nice therapist might help.
[Image by Jim Cooke]