What you can do about the Heartbleed bug

A major bug in the encryption standard used by about two-thirds of the Internet has left companies scrambling to patch their systems -- and let their customers know the extent of the possible damage. Any way you slice it, it's a pretty big problem and one that you should really understand.

To be honest, there isn't much an average Web user can do about it, but there are some steps you can take. So take a deep breath, clear out the next 10 minutes and read on:

First thing's first. What's going on?

If you've ever seen the little lock icon on a Web site, that's a signal that the site is using a security protocol called Secure Socket Layers (SSL) and an indication that the data you enter into the site won't be readable to anyone trying to peek in on your transaction.

This bug, "Heartbleed," is a flaw in the encryption standard known as OpenSSL -- an open library that many Web sites use to secure the data they process.

They can do this by locking onto a signal that sites send each other -- called a heartbeat -- to ensure that they have a secure connection. By way of a very basic explanation, the Heartbleed bug essentially returns more information for these requests than it's supposed to, so it's possible to scoop up data on a system without anyone ever knowing. All data is fair game, including information on how sites encrypt their data in the first place -- meaning that information we thought was secure may not be so secure after all.

Am I affected?

It's more than likely that the answer is yes. Odds are that some site that you use frequently has unknowingly contained this bug, though that doesn't necessarily mean your information has been taken.

As my Post colleagues at The Morning Mix noted, 47 of the Web's top 1,000 Web sites that use SSL were vulnerable to the bug. Of the top 10,000 Web sites that use the standard, 628 were susceptible to Heartbleed.

How long has this been happening? Has it been used to steal data already?

The bug has been around for at least two years without being widely known, which is part of what makes the problem so bad. Companies across the Web such as Facebook, Yahoo, Tumblr and Amazon.com have already rolled out fixes while others are working as fast as they can, but there's a chance it's too little, too late.

Thus far, researchers don't know if there's been an attack "in the wild" -- meaning not as part of a controlled experiment.

But the researchers at Codenomicon, which publicized the exploit after discovering it with Google Security engineer Neel Mehta, said that they were able to attack "ourselves from outside, without leaving a trace." And in those attacks, they were able to steal usernames, passwords, e-mails and critical documents from their own site

Has my credit card information been taken?

It's possible. Many companies that process financial information have multiple layers of security, but if you're concerned you should call your bank or favorite retailer and ask them what to do.

And it's always a good idea to keep a closer eye on your statements and look for weird activity that may come up -- a good practice in general, and even more important now.

Okay. I know this drill. Which passwords should I be changing?

That's a trickier question to answer than you may think. Some companies, such as Tumblr, are recommending that you change your passwords, even though the site itself has no record of a breach or attack. Etsy, which also announced publicly that it's patched its systems although there's been no record of an attack, also recommends that you change your passwords. Once you hear from a company that you should change your passwords, you should do it as soon as you can.

But while you may want to rush out and change everything right now, there is an argument to be made that you should stop and think about it first. For one, if companies haven't yet fixed the flaw, then changing your password right now isn't going to help anything.

And, sadly, that's really all you can do as a normal Web user. The onus here is on companies to update their systems and let you know what to do next.

I own a small business/run a hobby group/have a Web site that collects information. How do I make sure my users are protected?

If you own a business and it has a Web site, you should be in touch with whoever runs your Web site and find out if they've released a patch. Then, either follow their instructions on next steps to take or pressure them like crazy to get a patch rolled out to you.

And then you should move as quickly as possible to let your users know the status of your site and give them instructions on how to change their passwords.

Hayley Tsukayama covers consumer technology for The Washington Post.
Comments
Show Comments
Most Read Business
Next Story
Cecilia Kang · April 9