A week ago, nobody had ever heard the term “heartbleed” outside of the medical industry.
This week, Heartbleed has appeared in major newspapers, websites, and publications all over the world. What is Heartbleed? And why are people freaking out about it?
Heartbleed is a recently-discovered exploit in OpenSSL. OpenSSL is a security encryption software used by millions of websites around the world – including government agencies, banking websites, shopping sites, and many more.
When this exploit was discovered, it meant that millions of major transactions performed over the last few months could have been spied upon. It meant that millions of credit card numbers could be at risk.
Since an estimated 2/3 of the internet uses OpenSSL, Heartbleed is a major issue.
But should you really worry about Heartbleed? Or is it another overblown media controversy? Here are the top 5 most important things to know about Heartbleed:
5) Some of the world’s largest online companies were “possibly affected”
Some of the internet’s biggest players have publically stated that they were affected by the Heartbleed exploit. That does not mean that user information was stolen, but it does mean that a hacker with knowledge of the Heartbleed exploit could have used that exploit to steal information from all of the following websites:
-Canada Revenue Agency
4) Not everybody was affected
The Heartbleed vulnerability affected a specific update of OpenSSL: CVE-2014-0160. That update was used widely across the internet, but not all websites have been affected. Here are the websites which have publically stated they were not affected by the exploit:
3) The exploit has been patched by almost all affected services
All of the internet’s biggest players affected by the exploit have patched their coding. They’ve been working frantically to ensure the patch is fixed.
At this point, most services have been fully patched and the Heartbleed exploit has effectively disappeared. Of course, the major concern is that information stolen over the last few months will soon make its way to the surface.
2) Heartbleed affected 2/3 of all internet servers
When people say an exploit affected “millions” of websites, that sounds like a huge number. But the internet is a big place and there are nearly a billion websites active on the internet today.
With that in mind, Heartbleed affected 2/3 of all internet servers. It didn’t affect millions of websites. It affected hundreds of millions.
Each of these websites used OpenSSL to encrypt passwords, personal data, credit card numbers, and even tax information used by government agencies. All of this information is at risk if a bad guy identified the Heartbleed exploit before the good guys.
That’s a massive number and it likely makes Heartbleed the most widely-spread security exploit of modern times.
1) It’s possible that no information was stolen through Heartbleed
The craziest part about Heartbleed is that hackers in the world might not have known about it. In fact, it’s highly possible that no information was stolen through Heartbleed at all.
Obviously, for an exploit to be exploited, there needs to be someone who knows the exploit and has malicious intent. Nobody knows if that actually happened with Heartbleed.
As with any security leak, you should check your bank account, credit card account, and any other sensitive information you use online. So far, nobody has come forward stating that they exploited Heartbleed or were exploited by Heartbleed, so it may all just blow over.