Heartbleed: Why the Internet's Gaping Security Hole Is So Scary

In the past 15 or so years, we've all learned to feel pretty safe on the internet. BigSite.com is surely handling your credit card information safely, at least as safely as any brick and mortar store. Maybe don't be so sure; there's been a bug lurking in one of the internet's most important security measures for years, and it's given attackers the keys to the kingdom. Enter Heartbleed.

Secret handshakes

The heart of having secure transactions on the internet relies on a pair of technologies called Secure Sockets Layer (SSL), and its slightly younger brother Transport Layer Security (TLS). For most intents and purposes, they're the same thing. You can thank TLS/SSL for the little padlock that shows up next to the address of a secure website, and the https:// those addresses start with. Meanwhile, behind the scenes, TLS/SSL is what brokers the exchange of cryptographic keys that lets a browser and a server know they are who they say they are. It's the guardian of the secret digital handshake that keeps your private information between just you and BigSite.com.

TLS/SSL is a huge part of the internet as we know it today, and fortunately it still works just fine. What's causing the dangerous breach is a software library called OpenSSL. It's basically a open source package that people can use to get the protection of TLS/SSL encryption quick and easy. The only problem? It's had a hole in it for years. A hole called "Heartbleed."

A look inside

OpenSSL works just fine in theory, but thanks to a minor coding error and the exploits result from it, malicious folks can abuse certain (and popular!) versions of OpenSSL to grab slices of private data that should be secured by the TLS/SSL code that keeps you safe. Attackers can look inside the secret handshake and see how it's done.

This is problematic for a couple of reasons. First, if attackers take a peek at a secret handshake you are performing when you login to your email account at Yahoo.com, they can see your information. Your username, your password, maybe even your credit card number depending on what you're doing. There's all kinds of juicy stuff in there.

But that's small time spoils compared to the real danger. Attackers will also get a look at how the site that's taking your data identifies itself. And once that half of the handshake is out in the wild, all bets are off. Not only could ne'er-do-wells use their new-found key to fool people into thinking they are a fine upstanding place of business with a good ol' man-in-the-middle attack, they can also look back into transactions that already happened. And since they're getting in with the master key instead of breaking through a window, these sort of attacks leave no trace.

So how does this affect me?

Fortunately not all versions of OpenSSL are vulnerable to this kind of exploit, and there's already a fixed version of it out there. But considering how long it was broken for, that's a cold comfort.

There's a long list of sites that used the offending package, but because the attacks leave no trace, there's no way of telling how many were actually attacked; you just have to assume they all were. And if you're a user of one of them, assume your credentials are now out in the wild.

  • yahoo.com
  • imgur.com
  • flickr.com
  • redtube.com
  • kickass.to
  • okcupid.com
  • steamcommunity.com
  • hidemyass.com
  • wettransfer.com
  • usmagazine.com
  • 500px.com

And even once those sites have patched up the actual OpenSSL hole, the problem is far from solved. Sites also have to perform the internet equivalent of changing their cryptographic locks. Even then, any data that attackers may have managed to stash before then is still vulnerable, and it always will be.

Fortunately there are no real juggernauts of internet commerce wrapped up in this, as far as we know. No Amazon, no Google, no Microsoft. At least not anymore, but at some point in the past two years they could have been affected (and a few have now explained they were). Your LastPass and 1Password are still safe. But still, it's a potentially unprecedented breach though we'll never actually know how many sites got attacked.

In the meantime, there's not much you can do besides avoiding affected sites until they're fixed, and changing your passwords after the fact. All your passwords, because you can't be safe enough. You can also put on a tinfoil hat, but sometimes the best solution is just a close eye on your credit card statement.

Update: Hidemyass.com reached out to us to explain that their sensitive user data is actually stored on vpn.hidemyass.com, so your ass is safe despite the fact that hidemyass.com was compromised.