The Heartbleed dilemma

A couple of months ago, news broke of a hugely serious encryption vulnerability called the Heartbleed bug, which affects the OpenSSL library designed to provide security for numerous web sites, email services and more. While OpenSSL isn’t used by every web site or company for encryption purposes, it’s still an extremely common and popular encryption toolkit, with estimates that close to one in five web servers worldwide had implemented susceptible OpenSSL code at the time the vulnerability was discovered in early April.

The kinds of companies exposed here are big names, too: Google, Instagram, Yahoo and Dropbox are among the list of institutions that utilised the vulnerable OpenSSL code. While any such reputable organisations have since updated their OpenSSL implementation with a security patch that remedies the bug, security experts are advising it’s theoretically possible that users who signed in to any compromised web services in the past two years may have had their credentials logged.

In other words, your username and password for email services, social networking sites, cloud storage providers and other web sites may have been recorded, which theoretically could give interested parties log-in access to any such web accounts. Accordingly, the advisable course of action for any concerned readers is – if you haven’t already done so – change your passwords for any sites that you think might have been affected by the Heartbleed bug.

Change your passwords now

Password management company Lastpass has set up a convenient Heartbleed checker site that detects what sites are (or were) vulnerable to Heartbleed, and you can find further detailed technical information on the bug and related FAQs at Heartbleed.com.

While Heartbleed is an extremely serious bug, some security commentators have pointed out that it’s unlikely many users have been affected by the vulnerability, as it’s thought that few if any potential hacking agents were aware of the issue before April this year – at which point Heartbleed’s existence was widely publicised and web site operators rushed to update their servers.

But the whole calamity just goes to show how exposed users are on the web and, pragmatically speaking, the ultimate futility of ‘internet security’ in extreme cases such as this, when both users (protecting their passwords as best they can) and site operators (implementing industry-standard encryption protocols) follow best-practice guidelines and still end up exposed.

Indeed, the most dire ramifications of Heartbleed may still lie ahead. While the immediate user credentials issue for popular web sites can largely be remedied by users updating their passwords (in tandem with web sites patching their OpenSSL implementations), it’s been suggested that the much more serious, still unaddressed issue could be the millions of web-connected hardware devices out in the wild – printers, modems, routers, webcams, media players, storage systems and more – that rely on OpenSSL in part for their secure operation.

You and your family may well run a number of such affected devices in your home. Until users everywhere manually download and update the firmware on each of these susceptible units and appliances, Heartbleed isn’t going anywhere.