Does the Heartbleed Bug Mean You Should Stay Off the Internet?

Here are seven things you should know.

<a href="http://heartbleed.com/">Heartbleed

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Update: The NSA knew about the Heartbleed bug for at least two years and actively exploited it in order to gather intelligence, Bloomberg reported on Friday. This means that under the pretense of protecting Americans, the NSA intentionally didn’t notify millions of Americans that they were vulnerable to identity theft. Go read that book, now.

On Tuesday, news broke that the safeguard many websites use to protect sensitive information on the internet has had a major security flaw for about two years. These sites use a security system called OpenSSL to encrypt data like content, passwords, and Social Security numbers. But thanks to a small coding error in a popular version of OpenSSL, nicknamed “Heartbleed,” hackers can potentially steal sensitive data from vulnerable websites. Richard Bejtlich, chief security strategist at FireEye, a network security company, notes that there’s no evidence that malicious hackers have exploited the flaw yet. But the secrecy-minded Tor Project, which enables anonymous internet browsing, nevertheless recommended on Monday that, “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle.” Here are seven reasons why you might want to stop looking at cat videos right now:

1. Lots of popular websites have the security problem.

According to the New York Times, up to two-thirds of sites on the internet rely on OpenSSL. A user on Github, an open-source coding site, compiled a list of sites that were allegedly vulnerable after a test was conducted on Tuesday. The Github list included Yahoo, Flickr, OkCupid, and Eventbrite, among dozens of other companies. (Some may have since updated their security.) Facebook and Google both released statements confirming they are not affected by the flaw. If you’d like to test a specific site to see whether it’s could be exploited—although this doesn’t meant that it has—go here.

2. Your most sensitive personal information is at risk.

When websites use SSL, that’s a good thing. The security layer is deployed during sensitive transactions to protect data like bank details, social security numbers, and passwords. Runa Sandvik, a staff technologist at the Center for Democracy and Technology (CDT), says that she’s heard, “this is even worse than if SSL wasn’t used at all, because it’s used to protect sensitive information. A site that isn’t protected at all, you might not submit sensitive information there in the first place.” The good news is, some security researchers are reporting that hackers may not be able to get the private keys to an entire website’s content. The bad news is, the flaw is still “a great way to steal passwords from recent logins” according to researchers at Errata Security.

3. Canada is freaking out.

The Canada Revenue Agency announced on Wednesday that it is temporarily shutting down its online services as a result of the Heartbleed bug. The moves come mere weeks before Canadians are expected to file their taxes. The U.S. Internal Revenue Service said in a statement Wednesday that its website has not been affected by the bug.

4. Right now, hackers are racing to get at that information.

“With these things, you can practically hear the shotgun go off. We’re in a race now between the attackers and the defenders, to see how quickly attackers can build viable attacks, and how quickly the defenders can put out their defenses,” says Christopher Budd, a spokesperson for Trend Micro, a Japanese security software company. He notes that while exploiting the vulnerability right now is fairly difficult, as hackers share information, people could build tool kits and it will become significantly easier.

5. You won’t necessarily know if your information has been hacked.

“It’s a serious bug in that it doesn’t leave any trace,” David Chartier, chief executive at Codenomicon, told the New York Times. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”

6. It won’t be easy for websites to fix the problem.

Budd says fixing the problem is “simple, but not easy.” While there is a fixed OpenSSL version that websites can download, it can take time to roll out the new program across a website’s entire infrastructure. Budd notes that companies will have to weigh the risk of an attack against the potential that the entire website might come crashing down if a new coding error is introduced. That might dissuade companies from acting quickly. Additionally, after a website installs the new “fix,” it needs to update its SSL certificate, a process that can take a little time. Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, notes that even if a website has downloaded the fix, if it hasn’t updated its certificates, it “could still be subject to a man-in-the-middle-attack on its users.”

7. Changing your passwords right away isn’t necessarily going to help you.

After news of Heartbleed broke, you probably got a lot emails from people telling you to change your passwords. Not so fast, experts say. If you change your password prior to a site getting rid of the bad SSL, your new password could be just as vulnerable as your old one. Sandvik from CDT says, “I’m in the same situation as everyone else. I would look for statements issued by companies before logging in, and if there is no statement, contact them and ask them. Also test their website.” Budd advises, “This is one of those situations where the best thing people can do is stick to best practices, don’t panic, and wait to hear information from people to know what’s going on. If you get instructions, follow them.”

Or you know, go read a book.

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate