fbpx
Politics Foreign Affairs Culture Fellows Program

Can’t Staunch a Heartbleed

If you’ve used the internet in the last two years, there’s a very good chance that your personal data has been exposed. Any website that you log in to is likely to have been compromised by Heartbleed, a serious bug in the way sites verify your secure connection. When you visit a site that begins […]
4350478778_d55769c951_z

If you’ve used the internet in the last two years, there’s a very good chance that your personal data has been exposed. Any website that you log in to is likely to have been compromised by Heartbleed, a serious bug in the way sites verify your secure connection.

When you visit a site that begins with “https://” or see a little padlock icon in your address bar, you’re supposed to be connecting securely. All information that you send to the site (password, text of emails, etc.) and that it sends to you (account numbers, client information, etc.) is encrypted, so someone can’t tell what you’re doing by just snooping on your internet connection.

The Heartbleed bug is potentially a lot more serious than the occasional security lapses that result in leaks of usernames and passwords or even the breach at Target that compromised over 40 million credit card numbers. Instead of one site exposing data, Heartbleed left a loophole in the protocol the majority of sites use to secure their users’ information.

OpenSSL, a protocol that handles all this encryption and decryption turns out to be broken, and has been leaving back doors for two years undetected. The Heartbleed bug works like a peephole into that stream of supposedly encrypted data. An attacker can’t browse your traffic at will, but they can keep peering in, seeing random snatches of whatever happens to be being transmitted at that moment.

That means malicious actors can spot your user name and password, as one tester did for Ars Technica, skimming login credentials from Yahoo Mail, but they might also pull in the full text of the email you’re sending. Heartbleed affected about two-thirds of all servers, and although a patch has been released, each website must fix the bug individually.

That means you shouldn’t rush to change your all passwords. Your bank or email or company may still have left the digital stable door open. You can check whether any particular website is broken using this tool, and, if you get the all-clear, make the change. But, although you can see which sites have been fixed, there’s no way to look up whether your own information has been skimmed.

There’s no easy undo button for this kind of insecurity. There’s no guarantee to cover your losses, like the fraud protection for Target customers. There’s no one to punish and no way to retroactively protect yourself.

Heartbleed is a reminder of the fragility of the complex systems that surround us and our own powerlessness to make ourselves safe from every kind of harm. It’s worth auditing our old failsafes, but the Heartbleed bug, like the iOS vulnerability revealed and fixed earlier this year may just be the collateral price we pay for the convenience of software.

There is no indication that this flaw was deliberate, like the NSA’s subversion of encryption tools, or negligently handled, like GM’s fatal ignition switches. We can work to increase oversight and try to build antifragility into our security systems, but, online and off, there’s a limit to our ability to “Do something!”


Advertisement

Comments

Become a Member today for a growing stake in the conservative movement.
Join here!
Join here