Everything You Need to Know About the Heartbleed Bug

Roughly two-thirds of web servers are currently susceptible to the Heartbleed bug.

The Internet has become the lifeline of a vast majority of businesses today. Other businesses that aren't completely reliant on it have some, if not all, of their functions linked to the World Wide Web.  

Imagine then, a world without the Internet, or worse, one where we're constantly under attack. Now, this is what nightmares are made of! Thankfully though, we have a few unsung heroes who're constantly toiling away to keep the web safe from hackers and devious minds on the prowl who are out to steal your identity and private information on the Internet.

Ben Laurie and a handful of programmers based in Europe are responsible for maintaining an extremely crucial software called OpenSSL that has, for more than a decade, kept our online transactions safe and protected from the prying eyes of hackers, that is, until now.

In layman terms, OpenSSL is a force field that keeps away all intruders trying to snoop in on your private information. This open-source program scrambles sensitive online data so that no one else can access it. It is an integral part of a majority of sites like email providers, online banking sites, government sites, etc.

That deal with your private information. A very reassuring sight is the lock symbol that appears in the address bar on a secure web page, and is suffixed by https:// as opposed to http:// for regular sites.

This little piece of web technology is what safeguards your information on major websites like Google sites (Gmail, Google Maps, Google Play, etc.), Yahoo, Amazon, Facebook, etc.

OpenSSL, as we mentioned earlier, is a free-for-all program used by the biggest names on the Internet. Unfortunately though, very little, if anything, is done by the bigwigs of the industry to maintain this imperative piece of programming for web security. 

This is reflected by Ben Laurie's statement to The Huffington Post, "There are a lot of companies making big bucks that use this in their core products." He further went on to say, "They should be making contributions, but their position is, 'We found this nice thing you're giving away for nothing. That's kind of you, but we're not going to help you.'"

A sorry plight indeed, but what does this have to do with the Heartbleed bug? Everything! Considering that very little money trickles through into the maintenance of OpenSSL, auditing―something that is crucial to spot the bugs and loopholes in a software code―is just not feasible for the handful of programmers working on the project.

Besides, most of these programmers rely on other jobs to pay their bills. Nonetheless, OpenSSL has done a remarkably good job of keeping websites secure for over a decade. The program's untainted reputation though, took a major hit on 7 April 2014.

When Google security researcher, Neel Mehta and researchers at Codenomicon, an independent software firm, discovered a major bug concealed within 10 lines of the program's code. According to the researchers who uncovered the flaw in this popular data encryption standard, the bug has been around for nearly 2 years now. 

What is even more alarming is that a Web Server Survey conducted by web security company, Netcraft, as on April 2014, revealed that about 66% of the 958,919,789 websites observed were built around OpenSSL. This leaves about 500,000 servers vulnerable to an attack.

OpenSSL sets up a secure communication line between two participating systems, wherein the data transmitted between the two can only be decrypted by one of the two participants. Every once in a while, the systems involved send across a ping or a heartbeat to the other to ensure that the system is still online.

A flaw in the programming of the software means that this channel can be exploited by hackers to retrieve private data from the systems. As it affects the heartbeat, it has been christened the Heartbleed bug.

Almost all major financial institutions use OpenSSL for their online portals. Internet giants like Google and Yahoo too use this data encryption standard for their sites. The Heartbleed bug lets hackers retrieve your private information, bank and credit card details without a hitch.

What makes things worse is the fact that they could do so without leaving any trail behind. In fact, the service provider might not even come to know of any such break-ins. Hackers could retrieve the encryption keys of websites.

These would let them decrypt the data sent across using the site without the need to use the heartbeats each time. What this means is that your personal information could still be accessed even if you were to change your password right now.

As the bug is at the server end, there's very little you can do to completely protect yourself from it. Most companies are working on releasing a patch for the Heartbleed bug and should have it out soon. You could visit this website to check if the site you want to visit has fixed the issue. In the meanwhile, here are a few things you can do on your part:

• Avoid carrying out any transactions or accessing important mails for a while.
• DO NOT change your password till the website has fixed the bug. This would give you a sense of false security as your account would be just as vulnerable as before.
• Keep a close eye on any transactions on your account, and notify your bank if anything seems off.

• If you're really paranoid about the entire situation, stay off the Internet for a while till things are in control.

The sheer volume of servers and services affected by the Heartbleed bug are bound to cause panic among Internet users the world over.

While it is undoubtedly a cause for concern, a fix for it is already on its way, and the problem should be resolved soon. Now would be the perfect time to keep your credit card away for a while, and secure yourself from a Heartbleed. Cheers.