Sign up for Digg's morning newsletter The best stories of the day, in your inbox
Subscribe Now
Hide
Video Data Viz Movies and TV Real Estate Internet Culture News One Main Character Memes Relationships Gaming More Less
HEARTBLEED
·Updated:
·

From time to time, we find ourselves curious about a topic and do some digging (we're contractually obligated to use this word in every post). So here, for your edification, the nectar of our mind grapes.


What Is The Heartbleed Bug?


Get it? heartbleed.com

The Heartbleed bug is a just-discovered vulnerability in the immensely popular OpenSSL cryptographic software library. Is your head spinning yet? Just stick with us.

OpenSSL is the most widely used implementation of a suite of security protocols called Secure Sockets Layer (SSL) that help encrypt traffic while surfing the web. 

Every time you send and receive information online — say when you're buying that awesome new pizza t-shirt from Urban Outfitters — there's a chance your data is sent via SSL. You can tell SSL is being used when you see "https," a lock, or a green indicator while browsing certain sites. 

SSL in use in Chrome. Screenshot via Mike Young

Some mail, chat programs and virtual private networks (VPNs) also use systems tied to OpenSSL to transmit your data and communications securely. 

The Heartbleed bug is unique and terrifying because it allows anyone to read the memory of systems protected by the now-vulnerable versions of OpenSSL software. Once someone with malicious intent reads this memory, they can grab the secret keys the service uses to encrypt the traffic, names and passwords of the users and then retrieve all sorts of private data.

What Does It Affect?

According to Sam Kottler, a software engineer who has worked on numerous open source security and systems management projects (and formerly worked at Digg), "Anything that you wouldn't want an 'Internet bad guy' to see is potentially vulnerable on sites using unpatched versions of OpenSSL."

Things like passwords, banking information, credit card data and titillating personal photographs are potentially vulnerable. Basically, everything you do on the Internet.

Has My Data Been Compromised?

Unfortunately, to answer this question you're just going to have to remain alert. "This is really on a site-by-site basis," according to Kottler. "Responsible sites and organizations will let you know if they believe any data has been compromised."

Pay close attention to any notifications from your banks, credit card companies and often-used Internet services over the next few days and comply with any security requests they make of you. As always, be on the lookout for phishing scams when opening these emails.

If you're concerned that your site may have been affected by the bug, you can test your servers here.

Should I Change My Passwords? If So, When?

The patch to the OpenSSL library itself is already available. However, since the software is so widespread, it's going to take some time for the fix to roll out across the web. Since it's worthless to change your password before this patch is made, please wait for direction from individual sites and services.

Update 5:58pm

A Google spokesperson responded to our request for a comment:

The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services.  

Want more stories like this?

Every day we send an email with the top stories from Digg.

Subscribe