Heartbleed bug: What you need to know (FAQ)
The security vulnerability has implications for users across the Web. Here's what the bug means for you.
The Heartbleed bug, a newly discovered security vulnerability that puts users' passwords at many popular Web sites at risk, has upended the Web since it was disclosed earlier this week. It's an extremely serious issue, and as such, there's a lot of confusion about the bug and its implications as you use the Internet.
CNET has compiled a list of Frequently Asked Questions to help users learn more about the bug and protect themselves. The Heartbleed situation is ongoing, and we'll update this FAQ as new issues arise. Check back for new information.
What is Heartbleed?
Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. According to Netcraft, an Internet research firm, 500,000 Web sites could be affected. That means a user's sensitive personal data -- including usernames, passwords, and credit card information -- is potentially at risk of being intercepted.
The vulnerability also means an attacker could steal a server's digital keys that are used to encrypt communications and get access to a company's secret internal documents.
What is OpenSSL?
Let's start with SSL. That stands for Secure Sockets Layer, but it's also known by its new name, Transport Layer Security, or TLS. It's the most basic means of encrypting information on the Web, and it mitigates the potential of someone eavesdropping on you as you browse the Internet. (Notice the "https" in the URL of SSL-enabled sites like Gmail, instead of simply "http.")
OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 through 1.0.1f. OpenSSL also is used as part of the Linux operating system, and as a component of Apache and Nginx, two very widely used programs for running Web sites. Bottom line: Its use across the Web is vast.
Who discovered the bug?
Credit is given to security firm Codenomicon and Google researcher Neel Mehta, who both found the bug independently from each other, but on the same day.
Mehta donated the $15,000 bounty he was awarded for helping find the bug to the Freedom of the Press Foundation's campaign for the development of encryption tools for journalists to use when communicating with sources. Mehta is declining press interviews, but asked for comment, Google said, "The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited."
Why is it called Heartbleed?
According to Vocativ, the term "Heartbleed" was coined by Ossi Herrala, a systems administrator at Codenomicon. It's got a nicer ring to it than its technical name, CVE-2014-0160, named for the line of code that contained the bug.
Heartbleed is a play on words referring to an extension on OpenSSL called "heartbeat." The protocol is used to keep connections open, even when data isn't being shared between those connections. Herrala "thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory," David Chartier, chief executive of Codenomicon, told Vocativ.
If the name sounds a bit too catchy for a security glitch, that's exactly the point. The team at Codenomicon wanted something press friendly that could spread quickly, to warn more people of the flaw. Soon after they named the bug, they bought the domain Heartbleed.com to educate the Web about the glitch.
Why are some sites not affected by Heartbleed?
Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some Web sites use an earlier, unaffected version, and some didn't enable the "heartbeat" feature that was central to the vulnerability.
While it doesn't solve the problem, what mitigates the scope of the potential damage is the implementation of perfect forward secrecy, or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever. That means that if an attacker did get an encryption key out of a server's memory, the attacker wouldn't be able to decode all secure traffic from that server because keys use is very limited. While some tech giants, like Google and Facebook, have started to support PFS, not every company does.
How does the bug work?
The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also "cookie" data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site's private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.
Should I change my passwords?
For many Web sites, yes. BUT wait until you get confirmation from the Web site operator that the bug has been patched. It's a natural reaction to want to change all of your passwords immediately, but if the Web site's bug has not been fixed yet, making the change could be useless -- you're just potentially giving an attacker your new password.
How do I check if a Web site has been affected -- or fixed?
A few companies and developers have created testing sites to check which Web sites are vulnerable or safe. Two good ones are by LastPass, a company that makes password management software, and Qualys, a security firm. While these test sites are a good preliminary check, continue to proceed with caution, even if the site gives you an all-clear indication. If you're given a red flag, however, avoid the site.
CNET is keeping a running list on the status of the top 100 Web sites, according to Alexa.com. Check back here for updates. Here's a list of sites that were still vulnerable as of Thursday afternoon, according to researchers at Zmap.
But the most prudent thing to do is to get confirmation from the site through one of its official channels. Lots of companies have been putting up blog posts and issuing statements about the health of their sites. Or you can email a site operator or customer service person directly.
According to the Guardian, the programmer who wrote the glitchy code was Robin Seggelmann, who worked for the OpenSSL project while getting his Ph.D. studies from 2008 to 2012. Adding to the drama of the situation, he submitted the code at 11:59 p.m. on New Year's Eve 2011, though he claims the timing has nothing to do with the bug. "I am responsible for the error," Seggelmann said. "Because I wrote the code and missed the necessary validation by an oversight."
Still, as an open-source project, it's hard to place the blame squarely on one person. As Zulfikar Ramzan, chief technology officer of cloud security startup Elastica, explained to The New York Times, there's so much complex code that people had been writing, and the particular protocol Heartbeat did not get enough scrutiny. "Heartbeat is not the main part of SSL. It's just one additional feature within SSL," he said. "So it's conceivable that nobody looked at that code as carefully because it was not part of the main line."
Is it true that the US government exploited Heartbleed before the world knew about it?
That's unclear at this time. One report said that the National Security Agency knew about the exploit before it was called Heartbleed and exploited it to gather intelligence, but the NSA denied the accusation. Whether the report is accurate, the fact remains that when left unpatched, Heartbleed is a major security risk.
Should I be worried about my bank account?
Most banks don't use OpenSSL, but instead use proprietary encryption software. But if you're unsure, contact your bank directly for confirmation that the Web site is secure. Still, John Miller, security research manager for security and compliance firm TrustWave, suggests keeping a close eye on financial statements for the next few days to make sure there are no unfamiliar charges.
How do I know if anyone has used the Heartbleed vulnerability to steal my information?
Unfortunately, exploiting the bug "leaves no traces of anything abnormal happening to the logs" of Web sites, according to Codenomicon.
What password managers can I try?
One thing the Heartbleed situation highlights is the value of a good password. In the aftermath of changing your old passwords, you might be wondering if there are other ways to make sure your accounts are secure. Password managers try to solve that problem by helping you generate random passwords for each account. You then control everything through one strong master password. Having all of your accounts under one manager may be too close for comfort for some users, but LastPass, one of those vendors, insists it's secure, and that users don't have to change their master passwords due to Heartbleed. It's even added a feature that automatically checks your saved sites for Heartbleed vulnerabilities. Other password manager options are RoboForm, Dashlane, and 1Password.
Another suggestion is enabling two-factor authentication when it is offered. (Gmail is one service that does so.) That means that in addition to a password, the service asks for another piece of identifying information, like a code that's been texted to you. That way, even if someone steals your password, it makes it harder for someone to falsely log in as you.
CNET senior writer Seth Rosenblatt contributed to this report.