In Brian K. Vaughan’s digital comic series The Private Eye, the world of 2076 has dismantled the Internet and obsesses over personal privacy after “the cloud burst” and exposed everyone’s online secrets. A disaster with shades of that fictional “cloudburst” has happened on the non-fictional Internet: Security researchers discovered a bug in OpenSSL, a software package that most web servers use to encrypt sensitive communications. Called “Heartbleed” (because it relates to the portion of a secure connection called the “heartbeat”), this glitch is as serious as they come.
For the past two years, any nefarious sort with enough knowledge to exploit the error could steal the secret encryption keys of an affected site or app, essentially giving the hacker carte blanche to “eavesdrop on communications, steal data … and to impersonate services and users”—according to Codenomicon, a team of researchers who helped find the bug and also designed a charming logo for it. It’s a cartoon heart. Everybody loves hearts.
To give you an idea of how deep the bug runs, changing your password on an affected site wouldn’t guarantee your safety, because with the private SSL keys, an attacker could just grab your new password and return to ordering 55-gallon drums of lube with your Amazon account. That’s just an example—Amazon has patched the bug on its servers, and nobody needs that much lube. Certainly not me!
Adding an extra layer of scariness to this ordeal, it’s almost impossible to determine if anyone has exploited the bug, because a Heartbleed attack leaves no trace. Security guru Bruce Schneier likely held a flashlight under his chin as he observed that by now, “the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” Okay, fine, NSA, I was lying about the lube. Sometimes I just want to use my Slip ’N Slide in the winter, is that so wrong?
Most major websites have been working to shore up their systems over the past 24 hours, and you can check the status of your favorite sites with a Heartbleed test gizmo set up by a helpful researcher named Filppo Valsorda. It should be noted, though, that just because a site passes Valsorda’s test now doesn’t mean that it’s entirely in the clear—sites also have to refresh their SSL keys because patching the bug does nothing to secure a secret key that was stolen earlier. With the situation still in flux, the best advice comes from The Atlantic’s James Fallows, who recommends that you change your online passwords now, and then change them again after this mess has been sorted. Or you could just throw your computer in the garbage and buy yourself a fancy mask of a lion or a robot, like they do in The Private Eye.
Send your Newswire tips to firstname.lastname@example.org