Heartbleed is a flaw in OpenSSL. Occasionally, one computer may want to check on another computer to ensure that there is a secure connection on the other. In order to do so, it will send out a small packet of data that will ask for a response – like a heartbeat.
However, researchers discovered that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory. To make matters worse, it has recently been realized that the code in SSL has been opened for the past two years and doesn’t leave much of a trace.
This raises several important questions, not only for testers and developers, but also for the average web user. Let’s take a look at a few in particular:
1. Are You Affected?
Probably. Since hundreds of thousands of sites were affected, chances are that you have used at least of them on a fairly regular basis. While there is no way to tell with 100% certainty, many experts are urging people to take the necessary precautions, which leads us to our next key question…
2. How Can You Protect Yourself?
According to Business Insider, the best way to tackle this problem is to assume that the worst has already happened. Most major service providers are already updating their sites and taking proactive security measures, but you should also go through and change your passwords as well and assume that your accounts have already been compromised (as awful as that sounds).
CNET advises that you should check your financial statements over these next few days in order to ensure that your privacy is still intact and that your financial accounts have not been compromised. A hacker that has accessed a bank server, for instance, has likely snagged information regarding recent credit card activity.
3. What Passwords Should I Change?
Mashable has recently launched a list of the sites that you should strongly consider changing your passwords on, including:
- Google & Gmail
- Yahoo & Yahoo Mail
- Amazon Web Services
- Intuit (TurboTax)
4. What Websites Are Affected?
The most popular sites affected by the Heartbleed bug, according to Digital Trends anyway, were:
5. What Is Being Done About This Security Breach?
Thankfully, the Heartbleed bug itself is quite easy to fix. Sites are currently updating their software and security certificates in order to ensure that the bug will no longer harm its users and potentially breach the data that consumers have entrusted with them.
As testers and app quality enthusiasts, we’re interested to get your thoughts on why this bug existed for such a long period of time before being discovered. Have an answer? Be sure to share it in the comments below!