The heartache of Heartbleed

There is plenty of panic to go around surrounding the announcement of a major security flaw in OpenSSL, the open-sourced version of the security connection used by most web servers to encrypt information between users, sites, and companies. Here's some basic info on "Heartbleed," and what you need to know:

1. What the heck is SSL? And should I worry whenever that lock appears in my browser? Or when I see ‘https://’?

SSL stands for “Secure Sockets Layer.” It refers to the connection between your computer and the company hosting whatever website you are currently browsing. Take a banking website, for example. Ideally, you’d want that connection to be secure against hackers being able to see the information being transmitted back and forth -- In this case, sensitive information like your social security number or your credit card numbers. Companies that have a SSL connection will encrypt any information transferred between your computer and the company.

That’s why you see the lock in the upper left-hand corner of your browser. Companies with an SSL connection have paid for an SSL Certificate, and notify their users via the lock icon. Additionally, the “s” in “https://” is another signifier of an SSL connection, and stands for “secure.”

For more information, check out this video.

In theory, this is how it should work: encryption of information on an SSL should guard against anyone gaining access and decrypting that information. Except when it doesn’t. As security experts discovered, a flaw in the open-sourced version of SSL has been a vulnerability for about two years, and could allow a hacker to get access to private information as well as the key to decryption. It’s especially problematic when considering that about 2/3 of the web-serves use OpenSSL. Cue terrifying nickname: the “Heartbleed” bug.

 2. I’ve heard I shouldn’t change my passwords yet. Why not?

In simple terms, if a site is compromised, changing your password won’t do much until the company that runs the site installs a patch. A better strategy is to wait until sites have a chance to fix their “Heartbleed” woes, and then change your password. Otherwise you might simply be giving a hacker your new password.

3. Which sites are affected by “Heartbleed”?

You can look at a list of sites here, or check for yourself here.

 


*UPDATE: While changing your password on a website that isn't yet secure could be dangerous, many companies are now saying they have patched or updated OpenSSL flaws in their system and that users should update login information. Mashable has a good running list of sites and their status.

About the author

Tobin Low is the New York bureau intern for Marketplace.

Comments

I agree to American Public Media's Terms and Conditions.
With Generous Support From...