Oh Heartbleed, You Make My Heart Bleed

By Ryan Majeau | Posted in my blog for

Heartbleed bugThere’s a new big bad in town, and it’s causing quite a stir. Perhaps you’ve heard of it? Say hello to Heartbleed! The latest and greatest in online security holes has just came into the spot light. For a small bug it’s already being crowned the greatest internet threat ever. Oh ya, and it’s been around for 2 years. They just found it now.

Actually, researchers found the bug a month ago. They just didn’t tell anyone until now. Before you freak out, companies do this all the time. It gives them time to patch the holes before telling the world (so it won’t be a bad guy free-for-all?).

Over the past month, researchers patched the bug up quickly, sent the fix to tech companies for distribution, and came up with a plan to make the news public. I’m kind of impressed that in this timeframe, the bug got some corporate branding. Where did that come from? It got a name, a logo, even a website—your one stop shop for all the info you’d need about this new superstar. Clearly they had the media in mind.

Regardless of all the prep work, all sorts of badness still ensued once the story broke. Websites everywhere scrambled to see if they were affected. Warnings were sent all over to inform and calm customers. Canada even shut down its government sites. Canadians couldn’t file their taxes! (okay so not all bad)

So what’s all the fuss about?

Well this “small bug” was in OpenSSL (Secure Sockets Layer) software—the encryption tech used by almost everywhere to keep your private info private, secure. Heartbleed doesn’t care if your password is 12345, Password or 28jQ6$5zKC*l^zI38n. If it’s encrypted, it’s vulnerable. Make sense now? Small bug = bad bug. This comic and write up does a great job of summing it up in laymen’s terms.

The worst part is that there’s no quick & easy fix. It’s not just one password you have to change, it’s pretty much all of them. Plus you can’t just go change them all right away either. First you have to check if the site was affected, then you have to check if they’ve patched the bug on their end. If so, then you update your password—and do this dozens of times. Convoluted as hell.

Thanks to the great people at Mashable, a lot of the annoying legwork has already been done for you. Check out their heartbleed bug affected hit list post.

The good news is there’s no evidence the hole has been exploited over the last 2 years. If it was, the culprits are keeping shut about it (wouldn’t you?). The bad news? The internet is still broken, and it will be for awhile.