Heartbleed: What to know

Heartbleed is not some frighteningly named computer virus. It’s a potentially critical flaw in a widely-used encryption protocol called OpenSSL that is supposed to protect user’s personal information online.

In basic terms, Web servers and and computers can exchange data through secure connections using what are called heartbeats.

Say a computer sends a server a heartbeat. It asks something like, "Hey, server, if you’re still there, reply with 'Ray.' It is three characters." The server will find those three characters in its memory and send it to the computer to prove it is there.

Now say you're a computer-savvy person. You can ask the same of a server from your computer — for example, "Hey, server, find 'Suarez.' It's six characters." The server will find those characters in its memory and show it to you.

But now pretend that you ask, "Hey, server, find the words 'Inside Story.' It's 3,000 characters." Because of the bug, the server will reply back the words 'Inside Story' along with thousands of unencrypted characters from its memory, including potentially other users' passwords and credits card numbers.

And that is where the bug can be exploited. A would-be hacker or criminal can trick the server into providing much more data than is normal in such exchanges and reveal critical information from its memory.

Can users protect themselves from this bug? And how? We asked a panel of experts for the Inside Story.

Why did it take so long to discover this bug?

Christina Warren: It would be like trying to find a typo in "Ulysses." This was a really minor mistake, the equivalent of a typo. There were tons of people who were part of the OpenSSL project, and it just slipped through. The OpenSSL project has very few core projects and core members. So a lot of people can look at the code, but that doesn't mean a lot of people will.

Why is it so hard to fix?

Patching the software itself is simple, but patching the server is just one part of the process. If any of those sites have digital certificates, they have to revoke them and reissue them. It takes a lot of time to reissue those certificates. There are a lot of sites that can't do this easily. Certification authorities issue licensees. There are a few of them, compared to millions of websites.

Android phones can't get upgrades from Google. They have to get upgrades from carriers. It takes work to get the updates installed. If you issue certificates too fast, then you might end up with further problems.

Now that this bug has been discovered, what should consumers do? 

This is the worst part of this bug. There is not an easy answer for consumers. We don't have a lot of control. Major websites have upgraded their software. If you are using your password on multiple sites and one site was impacted by Heartbleed, you should change all your passwords because now people are starting to exploit it.

Is it time to rethink the password?

This was a wake-up call for us. The password in this case is irrelevant. But you shouldn't have the same password for multiple sites. Technologists need to figure out how to make passwords more secure but more easy to use.


What is Heartbleed costing companies?

We don't have specific figures, but we know it is costing companies a lot. They have to update services and shut down servers. The immediate costs are in the fixes and manpower.

What should average users do now?

Robert Siciliano: Everyone should consistently update their systems like their anti-virus software, their browser versions, their phone push updates and their password securities. Whenever a website has SSL, it holds critical information. Some peoples are saying, "Don't change your passwords until everyone is updated," but many people don’t change it often anyways. You should change it every six months to a year.

I say you should just change your password. There are many websites out there that allow you to plug in the Web address and check if websites are affected. But even if it is not affected, change your password. It's a good habit to get into.  

How are companies working to fix their software?

Wherever websites are being hosted, the host providers are first in line to get the patch to update their servers. This will protect websites and secure services. If you have a website, go to your IT manager, and your IT should check if your host is vulnerable.

How major is the flaw?

I’ve seen that close to 20 percent of all Web servers connected to the Internet were vulnerable — around 250 million websites. That's significant. I don't think there was one particular host server at fault. It was a number of them. The flawed code was open-source [public], so that's how the code's information was so widespread.
 

How can users protect themselves from bugs like this in the future?

The reality is that it's out of the control of the consumer. The simple username and password combination as a means of security is outdated, hacked and decimated. There are so many ways that that combination can be cracked. The best thing to do is initiate two-factor or multifactor authentification for passwords. That means you type in a first password, then a second password that is sent to you through a second device like your cell phone. It might take an extra five seconds out of your life, but it's worth it. 

Why did it take so long to discover this bug?

Yan Zhu: Even though the code is open, it is very large and complex. No one has done a thorough audit of the code. Because it was a free and open software, there was not enough funding. This software was basically written by volunteers.

Why is it so hard to fix?

The bug itself is easy to fix. The bug in the code was fixed simply. But because this software is all over the Web, we have to go to the millions of Web servers individually and fix the encryption keys. At worst, it might be months before some of the changes are fully in place. When a Web server revokes its encryption keys, there isn't a great infrastructure to tell people to change encryption keys. Browsers have software in place to tell consumers about the revocation of encryption keys, but it's unreliable.

Now that the bug has been discovered, what should consumers do?

The best thing to do is if the company has come out and said, 'We have fixed the bug. You should change your password immediately,' you should change it. Most companies have advised consumers to change.

Is it time to rethink the password?  

Passwords don't work very well for protecting sensitive information, but we don't have anything better.  

The above panel was assembled for the broadcast of "Inside Story" to discuss.

For future hard-hitting conversations, find Al Jazeera America on your TV.