Heartbleed is the largest Internet security flaw ever, and no one’s account is safe

Dillon Zizza, Webmaster
Originally published June 5, 2014

The Internet contains millions of people’s private information, from email accounts to online banking to social networks. Normally this content is secured behind a password which keeps all but the most determined intruders out. But what if the very software that makes passwords so difficult to crack had a flaw which handed them out to anyone who asked?

That is precisely what happened with the Heartbleed bug. At the time of its discovery an estimated 17 percent of websites certified as secure were found to be vulnerable, including major companies such as Reddit, SoundCloud, Tumblr, Yahoo!, Imgur, Steam, League of Legends, and Wikipedia.

A fixed version of OpenSSL, the software containing the bug, was released the same day as the existence of the Heartbleed bug was disclosed to the public. Unfortunately, the bug existed for nearly two years before it was discovered, putting any account on any vulnerable website at risk. However, according to Marketwatch.com, 47 percent of Americans who had heard of the bug hadn’t changed their password by May 13, over one month after its revealing, despite the almost immediate request to do so from most websites.

This represents a massive and entirely unparalleled security breach in the Internet which should be resolved as quickly as possible. All users of afflicted websites should change their passwords immediately, and to as secure and unique a password as possible.

Of course, remembering a password can be difficult and a forgotten password is often a serious hassle to resolve. A password manager such as LastPass, KeePass, or Dashlane can help by saving all passwords automatically in a system built into a web browser as well as having extra features such as auto-login to websites and secure password generation.

While the Internet has had less reputable people attempting to steal people’s passwords since it first had something worth stealing on it, Heartbleed is another order of magnitude on the scale of security flaws.

The flaw exists in what is known as a heartbeat, the periodic contact between a computer and the website it is connected to in order to confirm that both ends are still online. Normally this would involve the user’s computer asking the website’s computer something like “Respond with 1 (one digit long)” and receiving “1” in response.

Heartbleed allows a user computer to instead ask “Respond with 1 (50 digits long)” and receive both “1” and the 49 prior things the website computer had sent, whether those be other requests of the same type or someone’s password. A user who knows about this flaw could easily exploit it to harvest nearly all traffic on a website, gathering thousands if not millions of passwords.

There is no way to know just how much data has been intercepted by people with malicious intent, which means that everyone is at risk. The Internet is extremely complex, and no one can predict what else poses a danger to user security.

What can be predicted is that such incidents aren’t going to end, and users must remain vigilant about protecting themselves. A password is all that stands between your account and every criminal on the Internet. Make sure you haven’t left the key in the lock.