The Aftermath of the Heartbleed Bug

heartbleedMost of us realize that transmitting information over the internet has its share of risks. That’s why so many of us only share sensitive information, like credit card and social security numbers, with so-called “secure sites,” otherwise known as 'https’ at the beginning of a web address. However, as we learned on April 7th, 2014, even secure sites can fail us from time to time. In fact, as we soon were made aware, millions of secure sites had in fact been failing us, for more than two years. A full two-thirds of websites rely on a program called OpenSSL to encrypt user information, making it possible for visitors to complete credit card transactions and other similarly private tasks without fear that their information could be stolen. What most of us didn’t realize until April 7th was that there was a small error, since nicknamed the Heartbleed bug, in the coding of OpenSSL. It had been there since the very beginning, December of 2011. By abusing this error, hackers could gather some of the information OpenSSL had been put in place to encrypt. In other words, all of that information you shared in confidence, safe in the knowledge that the site you were using was secure, was seemingly up for grabs.

Do the hackers have my credit card information?

So what exactly did the hackers get? At this point, it’s extremely hard to say. If they were able to get access to the site’s encryption keys they could basically take anything they wanted. However, some experts believe that the hackers might not have been able to access those keys using the bug alone. However, the huge majority agree that it would have been very easy for those hackers to, at the very least, steal passwords from recent users. In the end, all we can do at this time is speculate. That’s because hacking into the system using this bug leaves no traces behind. If you know what you’re doing you can head in, steal data and get out all without making a peep. Plus, for all we know hackers might have found this bug months ago. They might very well have been hacking our data for two years. One thing is certain: if they didn’t know about the bug then they certainly do now. Obviously, when this bug was discovered the public had to be informed, but you can inform the public without also informing anonymous hackers about the bug’s existence as well. Currently, we’re in the midst of a race, with technicians working to solve this problem before hackers can exploit it. Happily, it looks as if the technicians are winning.

About 56% of websites are secure, and about half of those were vulnerable to the bug. This includes some major sites like Yahoo and Flickr. Google and Facebook were quick to say that they were not affected by the bug’s existence. At the time of this writing it has only been a few days since the discovery of the bug, and already most of the popular sites which were vulnerable to the attack have rectified the situation. The makers of OpenSSL quickly created a patched version of the program, and this new version was soon implemented by just about every major site effected by the attack. We at Neon Goldfish have taken extensive measures to protect both our site and the sites of our clients, and we’re happy to say that none of the websites in our extended family are vulnerable to the effects of Heartbleed, and all are completely safe to use. Indeed, most of the sites you regularly visit almost certainly are by now. However, that doesn’t mean you’re completely off the hook.

What can I do?

Yes, most of the sites that were vulnerable to hacking through this bug are safe now, but we still don’t know how much information was taken, or even what information specifically. For your safety, you’ll want to go to every site that you’ve allowed to store sensitive information about you and change your password, preferably to something as unpredictable as possible. However, remember that just because a fix has been released that doesn’t mean every effected site has implemented it. Changing your password on a site which has not implemented the new version of OpenSSL is pointless, as your new password could be stolen just as easily as your old one. Internet security company LastPass has created a tool which you can use to check URLs for Heartbleed vulnerability, which can be found here: http://filippo.io/Heartbleed/. If the site checks out, log in and change your password as soon as possible. If it doesn’t, stay away for now.

That all being said, there is a larger question here: how trusting can we be going forward? These were the sites we trusted the most, the ones which we felt safest using. If these sites could have been compromised, let alone for two years without anyone noticing, who’s to say that it won’t happen again? Sure, this problem has been corrected, for the most part anyway, but couldn’t there just be another problem, and another and another? The somewhat uncomfortable truth is that you can’t get better unless you mess up first. Yes, this was a huge blunder, the effects of which are going to be felt, in one way or another, for a good while, but with every error we make we’re getting smarter and better equipped. The programmers of OpenSSL are clearly making an effort to learn from their mistakes rather than trying to sweep them under the rug or deny blame, and that’s to be commended. Internet security isn’t going to become perfect any time soon, but after this event it’s going to get better. I’m ready to trust OpenSSL, and the secure sites which utilize it, again because I believe them when they say that they’ve corrected their mistake, and I trust that they’ll do everything in their power to keep this sort of thing from happening again.