You may be seeing a lot of panic today over “Heartbleed,” which affects the Internet. And amid the panic, few have bothered to explain what’s going on. So here’s what Heartbleed is, what you need to do, and how to protect yourself.
Is it some weird new virus?
No, Heartbleed is the nickname for a rather nasty bug in OpenSSL. If that sounds familiar, that’s because OpenSSL is an enormously popular method of keeping your information private on the Internet. Thousands, if not millions, of websites use OpenSSL to protect your username, password, credit card information, and other private data. Tests have shown you can access this data completely anonymously with no sign you were ever there.
Yes, that is more or less the technical assessment of the Internet. The good news is that, so far, it doesn’t look like there have been any data breaches. The bad news is that Yahoo! is one of the most vulnerable major sites. Facebook and Google seem OK, but they haven’t committed anything to paper just yet.
How screwed are we?
Well, that depends. The bug has been in the wild for two years, but was only discovered and announced this week. OpenSSL has already been fixed, so it’s really up to the sites to get the fix in as quickly as possible. And you’re likely going to get emailed by every site you have an account on, explaining that they’ve upgraded and they’re very, very sorry.
Is there anything I can do to protect myself?
Directly? Nope. Indirectly? Plenty.
First of all, call any sites you use regularly for financial purposes and ask them about Heartbleed. If they confirm there’s a vulnerability, check your financial statements carefully for fake charges. Suffice to say fraud departments across all credit card companies are on full alert.
In terms of passwords, don’t change your password on any website that you have not confirmed has addressed the bug. Once they’ve confirmed it’s changed, get a new password immediately.
Mostly, though, it’s a matter of waiting for updates from the sites you use.
Why did this happen in the first place? Why does everyone use OpenSSL?
Essentially, because most web servers are built on some form of Unix, and OpenSSL works with Unix and is completely free. “Free” is tempting on the Internet, especially when you’ve got servers to pay for.
So, keep an eye out, but don’t panic until you’re given good reason to. There’s enough to worry about on the Internet already.