Some call it CVE-2014-0160. Some like to refer to it as TLS heartbeat read overrun. Some know it as OpenSSL v1.0.1. I like to say it’s the worst thing to happen to the Internet since BuzzFeed.
However you know it, the bug commonly known as Heartbleed remains shrouded in mystery to many. But no longer! By the end of this article, you, my fellow Brunonian, will be able to proudly discuss the intricacies of Heartbleed with your friendly local CS concentrator. Kind of like how you discussed that book in AP English after only reading the Sparknotes.
(Disclaimer: CS people, please don’t get angry at me for the technical transgressions I’ve committed in this article.)
What is Heartbleed?
Brief review: HTTPS is a thing. (You know, like https://) The S stands for Secure. It’s for when you don’t want other people to be able to see your passwords and other personal information.
You know that little lock in the top left corner?
Well, Heartbleed allows hackers to unlock that lock (in certain cases) and see parts of your personal information. Yeah. No bueno. Especially when the https:// precedes yourbank.com.
What’s up with the name?
Sometimes, when your computer is talking to a website, it sends it a “heartbeat” to let it know that it’s still there. Kind of like when your doctor uses a stethoscope to make sure you’re still there. Without getting into technical details, suffice to say that the bug came from those heartbeats. So someone thought, “Oh, it would be kind of cool to nickname the bug Heartbleed, cause the site is bleeding information to hackers. Get it?”
And so it was.
How bad is it?
How bad would it be if your heart were bleeding?
Shit. Have all my passwords been stolen?
Uh, it’s sort of difficult to say. One of the worst things about Heartbleed is that it’s really hard to tell if anyone actually took advantage of it, and if so, who.
How long has this been around?
Since May 10, 2012. They only discovered it recently.
Was the bug on every site?
No. Wikipedia says only 17% of all websites online at the time were affected. Which is still a lot, though.
How did this happen?
So you know that lock we were talking about? It turns out that, just like in the real world, different organizations make those locks. One of those organizations is called OpenSSL. They’re the most popular Internet lock-making organization, so the vast majority of sites were using their locks. In real life, hundreds of thousands of websites use OpenSSL’s locks, but only about 20 people have ever worked on the locks. And they’re not paid to do it. So there you go.
What, if anything, do I have to do so my shit isn’t wrecked by Heartbleed?
You should keep an eye out for updates from your favorite websites. Most of them will tell you what to do. You should wait for those updates, because if the sites haven’t changed their locks, hackers who have the keys might still be able to listen in on whatever juicy conversations your computer and these sites are having.
If this has been going on for two years, do I really have to change all my passwords?
Technically speaking, you should change any piece of information you’ve ever disclosed on HTTPS sites, like bank card numbers and passwords. And your address. And your name. But definitely passwords. Unless you want to wager that if some hackers have them, they won’t use them.
What does the government have to do with it?
There was a report by Bloomberg that the NSA knew about Heartbleed, but didn’t tell anyone because it made their domestic spying easier. The NSA vehemently denied it. Believe what you will.
So now you know. Change your passwords.