The Washington PostDemocracy Dies in Darkness

Heartbleed: What you should know

Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users’ names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. This does not mean your information has necessarily been stolen. It may mean that it’s been vulnerable to theft and may remain vulnerable until a fix is applied.

It’s as if your front door has a defective lock. Someone could get in as long as it’s not fixed. But that does not mean they’ve already gained entry.

What can you do about it?

Not much. The problem is mostly on servers. A fix is available and being implemented by Web companies. Most experts are advising consumers not to rush out and change their passwords until the fix is complete.

Here are some more critical questions and answers.

Q: What is SSL?.

A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.

It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars.

“That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher,” explains Vox’s Timothy Lee. “If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.”

Q: Is there a fix?

A: Yes. It’s being distributed and implemented, but the bug has been around a while, and nobody seems sure whether someone has already exploited it and, if so, how much damage has been done.

Q: Should you change your passwords?

A: Don’t rush to change your password.

“Security experts suggest waiting for confirmation of a fix,” CNET warns, “because further activity on a vulnerable site could exacerbate the problem.”

More than half a million Web sites are vulnerable by some estimates, or two-thirds of the Internet.

You can use this tool to see if a Web site is vulnerable. If it is, don’t log in until the company confirms it has updated its SSL software and changed its security certificates. After that, you can change your password.

This list shows 1,000 Web sites that have been tested for Heartbleed. You can also use this tool to see if a site not listed is affected. The bug affects sites using the version 1.0.1 or 1.0.2-beta releases of OpenSSL, which comes with many versions of Linux. OpenSSL has released version 1.0.1g to fix the bug.

Q: How did this happen?

A: “The vulnerability was introduced in 2011, apparently by accident when the open source code was updated, but the error was only spotted recently. That has raised fears that some attackers may already have been exploiting it to steal information,” the Guardian reported.

Q: What exactly is the problem?

A: It is “a weakness in one feature of the [OpenSSL] software — the so called ‘heartbeat’ extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system,” Gigaom explains.

There are many more explanations on the Internet. Try Gigaom. The Wire also has a good primer.

Here are a few updates from major Web sites regarding the breach:

Tumblr says it has no evidence of any breach and took immediate action to fix the issue. However, the site suggests that users change their passwords.

Amazon has fixed the bug for most of its services. (Disclosure: Amazon chief executive Jeff Bezos owns The Washington Post.)

As of 11 p.m. Tuesday, Twitter and Facebook had not posted warnings about the breach on their corporate sites.

Around 3 p.m. Tuesday, Yahoo told CNET: “As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now.”

Google confirmed to that it had applied the SSL update to its key services.

Ars Technica has a notice advising customers to change their account passwords.

Update from Etsy: “Yesterday evening (April 7, 2014), we patched the small part of our infrastructure that we had identified as being vulnerable. We also worked with our third party partners to ensure that their systems which we rely on were also protected. While we’re not currently aware of any other ongoing site issues connected to Heartbleed, we continue to undergo additional checks to ensure the security of Etsy, as well as those of the partner services that we use.”