Heartbleed flaw explained. Clearly. No jargon.

heartbleed

You’ve probably heard plenty about an Internet scare dubbed Heartbleed over the last day. We explain what it is and what you need to do, all in easy to understand terms.

Essentially Heartbleed is a term used to describe a flaw that was discovered in a technology called OpenSSL. OpenSSL is the technology that allows many websites & web servers to exchange information securely with a recipient across cyberspace, without others intercepting and reading that information.

Basically you know how in Hollywood movies they say things like “are we on a secure line?”. Well OpenSSL allows a “secure line” to be secure. Only in this case across cyberspace, between computers.

Somewhat ironically though, OpenSSL isn’t as secure as many first thought, and the flaw could have allowed criminals to exploit OpenSSL communications to “fish” for information from the sites/servers that use it. The flaw would allow a criminal to receive a limited amount of leaked information every time they applied an exploit. Such information could be valuable. It could be useless. But a criminal could apply the exploit an indefinite amount of times, accumulating the amount of information they could obtain.

That information could be usernames, passwords, credit card information or even encryption keys that would allow a criminal to intercept any data between that server and someone else.

The flaw exploited a feature that OpenSSL used called “Heartbeat” that would allow computers to send out simple radar-like pings across a secure connection. This feature was exploited to allow potentially sensitive data to be leaked, hence the term “Heartbleed”. Catchy, no?

heartbleed2

Yahoo.com was the most high profile website to have been made vulnerable.

The security flaw was discovered by “white-hat hackers” – what this means is that the people who discovered it are people that look for exploits to ensure systems remain secure, and thus they would not exploit the vulnerability for nefarious purposes.

In fact, it is simply not known if this vulnerability has ever been exploited by criminals, since there would be no way to trace this kind of attack if it has ever occurred. We do know the flaw has been present for around 2 years.

Basically, there is no way for YOU to know if your accounts on affected services have been compromised.

Given the number of different accounts across different websites this flaw could have potentially compromised (literally billions) coupled with the fact that we don’t even know if any criminals even discovered the flaw would suggest that the chances are you being directly attacked because of this debacle are rather low.

But of course low doesn’t mean impossible, so many users of certain services (see below) are being advised to change their passwords. At least on affected services (see below) that have applied the patch to fix the problem.

So ultimately it is up to you to decide for yourself. Password changing is relatively easy to do, so if you really don’t want to risk your accounts being compromised, then there really is no reason not to change those passwords.

So, affected services include all of Yahoos services, such as Yahoo.com, Yahoo Finance, Tumblr and Flickr. Technology forum sites stackoverflow.com and stackexchange.com. Dating site okcupid.com. Proxy site hidemyass.com. Outbrain.com. Archive.org. Redtube.com. Squidoo.com

Popular sites not to be affected are Facebook.com, Amazon.com Retail (including locales) and Google.com (including locales.)

For other sites, the recommended course of action would be to contact them to request information as well as find out whether they have applied the patch to OpenSSL to fix the problem (since updating your password before the service fixes the flaw would be rather pointless)

Further reading:
Check if a website is still affected. Filipp.io
Heartbleed: With the Jargon: Sophos Naked Security.
Image credit: Codenomicon