What You Need to Know About the Heartbleed Bug
The big tech news of the week has been a security loophole that could be affecting some of your favourite websites and could be resulting in the leak of your confidential data. A security bug in SSL encryption called Heartbleed allows malicious users to potentially gain access to data that you’d rather keep private.
The Heartbleed Bug works by exploiting the heartbeat function of SSL encryption. The heartbeat is a short message that one computer on one end of the SSL connection sends to a computer on the other end to ensure that it’s still there. A member of Google’s security team and a team at software security company Codenomicon found that a properly formatted malicious message would cause that heartbeat to be responded to with confidential information.
These heartbeat responses could include all sorts of confidential information that you’ve uploaded to a website, not just your password or credit card information. A malicious heartbeat could trick a server into returning thousands of characters of data to an attacker.
The bug only affects websites using OpenSSL encryption and servers running Apache or Nginx software. A patch was released on Monday to eliminate the issue but that doesn’t mean that you’re 100% safe.
A number of different websites are tracking which websites have noted a vulnerability and the status of their security updates. Affected websites reportedly include Google, Yahoo, Tumblr, Instagram, and Pinterest. Gamers should note that Minecraft was also affected by the Heartbleed Bug. In Canada, the Canada Revenue Agency, the Canadian equivalent to the IRS, has shut down their online services until they have their security issues solved. That wouldn’t be an issue if taxes weren’t due in less than three weeks.
If a website you use has been affected by the Heartbleed Bug, don’t run out and change your password immediately. Wait until they confirm that the issue has been resolved. If you change your password now, you might still be exposed to having your data stolen. If you wait until that website has been patched, your password change should go through safely.