Heartbleed Bug: The Chaotic Nature of the Internet Under the Magnifying Glass

by Istvan Fekete on April 10, 2014

A major security flaw in widely used encryption software was unveiled this week. For the majority of users, it shed light on the enduring and terrifying realities of the Internet: it is inherently chaotic, with nobody in charge of it all. For skeptics, it was another reason to spread their belief: never trust anything.

The Heartbleed bug, uncovered by security experts publicly on Monday, was a product of the online world’s makeshift nature. Just to help you realize how serious this bug is: you may see logos of big, multibillion-dollar companies when you shop, bank or communicate through the Internet, but almost all of them rely on free software, which is often built and maintained by volunteers to help make those services secure.

According to security experts, Heartbleed was lodged into a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, software created in mid-1990 and used by companies and government agencies almost everywhere.

To understand the severity of Heartbleed: on a scale from 1 to 10 the bug it is 11, according to Bruce Schneier, a renowned security expert. “Catastrophic” is the right word, he says.

The extent of the damage caused by this bug remains unknown, but the possibilities for data theft are enormous. For example, companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites they previously thought were secure. And this is just the minimum required action.

The name Heartbleed comes from an OpenSSL feature called “Heartbeat” and was discovered by a Google researcher and, separately, by Finland-based Codenomicon, a security company.

The flaw could allow hackers to get access to encrypted data – such as usernames, passwords, credit card numbers and Social Security numbers – online.
The bug has been patched. After patching your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: