Heartbleed: what you need to know

April 11th, 2014
Heartbleed: what you need to know

By Naomi Dolin-Aubertin

The Heartbleed bug is the talk of the technology community this week. It is the wolf in sheep's clothing, except unlike the wolf, it leaves no trace. "Catastrophic is the right word," wrote security guru Bruce Schneier in his blog this week. "On the scale of 1 to 10, this is an 11."

Heartbleed potentially affects about 20% of websites that use what are known as SSL or TLS, essentially open-source encryption software represented by the "https" and padlock icon on your web browser. (That translates to hundreds of thousands of websites considering how vast the internet is). This encryption software is designed to keep your confidential information safe.

Think of encryption like a secret language between two people. The two of us are the only people that know the language; to everyone else, what we're saying sounds like gibberish. In encryption terms, this language works as a set of encryption keys. [1]

Heartbleed prays upon what is known as a heartbeat. A heartbeat is a message sent from one computer to another, essentially asking, "are you still there." The reason they send these messages is to keep open a session that might not necessarily be actively exchanging data (i.e. when you leave Facebook open and come back to it an hour later). [2] The Heartbleed bug exploits a weakness in the code to get the responding computer to send it more information than it should. It looks something like this:

You'll notice that the first computer contains a data packet (in this case a word) and then the size of the packet (the number of letters). Heartbleed sends a tiny packet and tells the computer on the other end that it is actually a large packet. What this boils down to, is that hackers could potentially have gotten encrypted passwords, encryption keys and other supposedly secure data.

So what should you do about it? Before rushing out to change your passwords, head over to these sites first to check whether or not websites you used were vulnerable and whether or not they have been fixed. A long list of social media, email, social sharing and other sites were potentially vulnerable to attack, including Facebook, Yahoo, Gmail, Instagram, etc.
Don't see a particular site on those lists? You can run the site through the Heartbleed test located here:

For the time being, unless you hear otherwise, it would be wise to stay off websites that haven't been patched against Heartbleed, especially financial institutions or other websites with credit card data. And with sites that have been patched, it's time to reset your passwords.

Leave a comment!

Your email address will not be published. Required fields are marked *