Last week, the news about a large-scale internet security vulnerability called the heartbleed bug jolted the tech world and sent websites and companies into crisis mode.
For those who have not heard, the heartbleed bug is a vulnerability in the programming used in open-sourced SSL server software and on websites.
Many websites have adjusted their programming, but before putting vital information on the web, like online banking information, students should check to be sure that their banking app or website does not use the vulnerable version of the OpenSSL software. To see if a site is secure, students can go to https://filippo.io/Heartbleed/ and input a site’s url.
Indrajit Ray, a computer science professor here at CSU who specializes in network, data and application security, breaks down the problem in simpler terms.
“It’s called heartbleed because it is bleeding memory location, you can read memory contents off a machine,” Ray said.
Much of the web uses the OpenSSL protocol software to encrypt communications between computers. For example, Gmail, Facebook and a few banking sites use the OpenSSL software.
The protocol involves the use of “keys.” One is called the public key, and the other is called the private key. The public key encrypts a message to a specific location, and the recipient uses their own private key to decrypt and read that message.
The security breach occurs when the private key, which expresses a digital signature, can be obtained and used by any motivated hacker.
“If someone has Gmail’s private key, they can access Gmail’s messages and tell the world they are Gmail,” Ray said. “It’s a very serious flaw, but it’s also an easy fix.”
While the heartbleed problem presents a issue for users and web servers alike, the solution is fairly simple. For the everyday person, simply changing login information is a useful if tedious task to protect personal accounts and information.
If the servers themselves are not patched, your new information can just be viewed by the next interested hacker with knowledge of how to exploit the heartbleed bug.
The vulnerable SSL software has been in use for over two years. The problem was discovered last week by security engineers at Codenomicon and Google Security.
So if the problem has existed for two years, and vital information could have been seen for that entire time by anyone who knew about the heartbleed bug, then who knew about it?
“We don’t know how much it has been exploited, and there is no real way to verify if the vulnerability has been exploited,” Ray said. “We assume that other people knew about it.”
Although the prospect of so much private information being openly accessible for such a long period of time is frightening, pragmatic action — like changing passwords and being aware of the still-vulnerable websites — will minimize the risk the heartbleed bug poses.
Collegian Editor at Large Zack Burley can be reached at firstname.lastname@example.org.