Heartbleed flaw explained. Clearly. No jargon.

heartbleed

You’ve probably heard plenty about an Internet scare dubbed Heartbleed over the last day. We explain what it is and what you need to do, all in easy to understand terms.

Essentially Heartbleed is a term used to describe a flaw that was discovered in a technology called OpenSSL. OpenSSL is the technology that allows many websites & web servers to exchange information securely with a recipient across cyberspace, without others intercepting and reading that information.

Basically you know how in Hollywood movies they say things like “are we on a secure line?”. Well OpenSSL allows a “secure line” to be secure. Only in this case across cyberspace, between computers.

Somewhat ironically though, OpenSSL isn’t as secure as many first thought, and the flaw could have allowed criminals to exploit OpenSSL communications to “fish” for information from the sites/servers that use it. The flaw would allow a criminal to receive a limited amount of leaked information every time they applied an exploit. Such information could be valuable. It could be useless. But a criminal could apply the exploit an indefinite amount of times, accumulating the amount of information they could obtain.

That information could be usernames, passwords, credit card information or even encryption keys that would allow a criminal to intercept any data between that server and someone else.

The flaw exploited a feature that OpenSSL used called “Heartbeat” that would allow computers to send out simple radar-like pings across a secure connection. This feature was exploited to allow potentially sensitive data to be leaked, hence the term “Heartbleed”. Catchy, no?

heartbleed2

Yahoo.com was the most high profile website to have been made vulnerable.

The security flaw was discovered by “white-hat hackers” – what this means is that the people who discovered it are people that look for exploits to ensure systems remain secure, and thus they would not exploit the vulnerability for nefarious purposes.

In fact, it is simply not known if this vulnerability has ever been exploited by criminals, since there would be no way to trace this kind of attack if it has ever occurred. We do know the flaw has been present for around 2 years.

Basically, there is no way for YOU to know if your accounts on affected services have been compromised.

Given the number of different accounts across different websites this flaw could have potentially compromised (literally billions) coupled with the fact that we don’t even know if any criminals even discovered the flaw would suggest that the chances are you being directly attacked because of this debacle are rather low.

But of course low doesn’t mean impossible, so many users of certain services (see below) are being advised to change their passwords. At least on affected services (see below) that have applied the patch to fix the problem.

So ultimately it is up to you to decide for yourself. Password changing is relatively easy to do, so if you really don’t want to risk your accounts being compromised, then there really is no reason not to change those passwords.

So, affected services include all of Yahoos services, such as Yahoo.com, Yahoo Finance, Tumblr and Flickr. Technology forum sites stackoverflow.com and stackexchange.com. Dating site okcupid.com. Proxy site hidemyass.com. Outbrain.com. Archive.org. Redtube.com. Squidoo.com

Popular sites not to be affected are Facebook.com, Amazon.com Retail (including locales) and Google.com (including locales.)

For other sites, the recommended course of action would be to contact them to request information as well as find out whether they have applied the patch to OpenSSL to fix the problem (since updating your password before the service fixes the flaw would be rather pointless)

Further reading:
Check if a website is still affected. Filipp.io
Heartbleed: With the Jargon: Sophos Naked Security.
Image credit: Codenomicon

Keep up-to-date with all the latest cybersecurity threats and our tips to stay safe online. Follow us on Facebook, Instagram and Twitter.

Continued below...


Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)

Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)