‘Heartbleed’ Internet security bug is as bad as it sounds

April 9, 2014

Hiawatha Bray

The word “Heartbleed” meant nothing at the start of the week. Today it is one of the hottest topics on the Internet — a simple security bug in an obscure piece of software that could compromise the personal information of millions. And while the Internet’s biggest companies scramble to fix the problem, users had better get ready to upgrade their own security practices.

“It’s not an academic exercise,” said Trey Ford, global security strategist at network security firm Rapid7 LLC in Boston. “I think this is a really big deal.”

So big that Ford thinks people should take a time out from online retailers, financial services sites, or online destinations that require entering sensitive information — names, addresses, credit card numbers. “I probably wouldn’t log into those for a couple of days or so,” he said.

To Ford, this isn’t another exaggerated Internet scare. Heartbleed really is that bad. But what is it?

Heartbleed is a bug that was accidentally added to a vital piece of software called OpenSSL, which secures thousands of Internet sites worldwide. OpenSSL software is built into Apache, the server software used by about two-thirds of the world’s websites to deliver Web pages to your computer. It sets up an encrypted data channel between your machine and the remote server. When it’s working properly, data traveling between the two machines looks like gibberish except to the authorized computers, which have keys for decoding the information.

OpenSSL is vital to Internet commerce, making it safe to move financial information online. But in 2012, during a software upgrade, someone wrote a bit of bad code that makes it possible to read unencrypted information from the memory of the remote server. This can include the encryption keys needed to decode the data stream, and e-mails, financial data, phone numbers — pretty much anything.

READ MORE