Skip to main content

Follow ISN on

The Best
Just Got Better.

New Name. Same Standards. Exceptional Results.
Learn more about how joining ISN has enhanced our services here.

How the Heartbleed bug works, and what passwords you need to change

Internet security experts are scrambling to patch an alarming encryption vulnerability that has exposed millions of passwords and personal information, including credit-card numbers, email accounts and a wide range of online commerce.

Internet security experts are scrambling to patch an alarming encryption vulnerability that has exposed millions of passwords and personal information, including credit-card numbers, email accounts and a wide range of online commerce.

Latest news

The Canada Revenue Agency says about 900 customers had their social insurance numbers stolen due to this bug. (The CRA website was closed for six days last week in order to patch the problem, and has extended the tax-filing deadline.)

How big of a deal is this?

Some reports suggest as many as two-thirds of the sites on the Internet are using OpenSSL, the encryption code that we now know is flawed and vulnerable to so-called Heartbleed attacks.

What other websites should I be worried about?

Canadian banks, airlines and online retailers such as Amazon.ca, Wal-Mart and Indigo Books all said they weren't affected by the bug.

The online news site Mashable has an extensive list of other affected sites. They suggest you should immediately change your password if you use:

  • Facebook
  • Gmail (or other Google services)
  • Tumblr
  • Yahoo mail
  • GoDaddy
  • Intuit (TuboTax)
  • Dropbox
  • LastPass
  • OkCupid
  • Soundcloud

Wondering about a site a site not on this list? There is no central "is my Internet broken" government agency that can verify if your site is vulnerable.

There are also a few services, such as filippo.io/Heartbleed, that let you test a website yourself. We recommend doing this for any lesser-known site you use regularly.

Wow, that's a lot. Anything else affected?

Initially, security experts focused on web sites using OpenSSL. We now know many digital products – including some with difficult to patch firmware – are also vulnerable, including:

  • Antivirus software
  • Email servers
  • Security firewalls
  • Routers and network switches
  • Some PCs
  • Android Version 4.11 (Jelly Bean)
  • Even the security-conscious Tor network

In those cases the hardware and software firms need to introduce patches.

When should I change my passwords?

It may sound like a good idea to just update every one you have, but it won’t do you any good to change a password on a site that hasn’t updated its OpenSSL yet: The new password will be vulnerable too.

As Toronto-based password-managing site 1Password says "The time to change passwords is after sites patch vulnerability *and* update certificates."

How can I make my passwords safer?

The smartest thing to do at this point is diversify your passwords, so that if someone hacks your OKCupid account they can’t get into Google with the same password. My rule of thumb is that no site that connects to my credit card shares a password with any other site I use. We just started a series on how to live a more secure digital life and here’s some totally crucial password advice from Technology reporter Omar El Akkad:

Most people use terrible passwords. There are a number of reasons for this. One is the sheer variety of password-enabled devices we have to deal with every day (how many people still have the default “1234” as the password on their vehicle’s Bluetooth connection?). Another is the fault of certain products and web sites that either don’t care what sort of password you choose, or force you to jump through a bunch of hoops that result in the creation of a convoluted password you end up forgetting a week later. As Randall Munroe notes, the most important determinant of password strength is entropy. Basically, the more stuff there is to guess, the better the password. So choose a long password. And if you don’t think you can remember multiple passwords and don’t want to use a password manager, at least memorize a strong password and use it exclusively for your most important digital transaction. The last thing you want is your banking login compromised because someone hacked into a gaming forum you frequent and stole your password.

Is this a virus?

No. A virus is a piece of malicious code that seeks to infect your computer systems. Heartbleed appears to be a mistake, a flaw in the encryption code that many websites use to protect passwords they ask you to use to log in, as well as other information.

How long has this been going on?

According to the researchers who found the problem – and let’s be clear, this is a gaping hole that words like “flaw, bug and vulnerability” barely describe – the bad code was introduced two years ago. To quote Codenomicon (who found and named Heartbleed): The affected code is called OpenSSL and “is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.”

Can you geek out for a moment, how does this work?

The term "Heartbleed" was coined by Finnish security researchers working in California. The vulnerability affects encryption technology called OpenSSL and could allow hackers to decipher encrypted data without website owners or users knowing any information theft had occurred.

Let me quote the Globe and Mail’s ops boss Steve Mickeler (Team Lead, Web Operations): “The flaw allows the attacker to access 64kb chunks of memory at a time and can often be used to retrieve the private keys, allowing the attacker to decrypt the SSL session and discover usernames and passwords. It can also be used to perform a man-in-the-middle attack by spoofing the site the user is going to since they now have access to the SSL keys and the client would not deem anything to be suspicious.”

As security expert Raymond Vankrimpen explains in our story about the CRA shutdown: "The Heartbleed vulnerability occurs when OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat. Such "heartbeats" help a remote user remain in touch after connecting with a website server ...

"A small chunk of the server’s memory content, about 64 kilobytes of memory, can leak out with each heartbeat.

"While 64 kilobytes doesn’t represent a large amount of memory content, it is large enough to hold a password or an encryption key, allowing an unscrupulous user to return to exploit the server further."

For an excellent illustration of how this works, check this cartoon from xkcd.

It's also important to note that 64kb is not the limit of leaked information, a potential attacker could collect many "heartbeats" of data.

Again, for even more information, including info on how to fix your site, check Codenomicon’s specialty site: Heartbleed.com.

One piece of good news? The password you use on The Globe and Mail’s website is not vulnerable to the Heartbleed bug (we use a different security protocol, and in places that use OpenSSL we used the older, not broken, version).

Whose fault is this?

Well, it's hard not to blame this on the OpenSSL Software Foundation and the developers who maintain this code. According to the Wall Street Journal, there are only four staffers to maintain the open-source libraries, and only one is full time.

"There's no question more effectively applied manpower would be a good thing," said Steve Marquess, 59 years old, who is the president of the foundation. "Formal code audits would be a good thing." Indeed.

What does the guy who made the mistake have to say?

Robin Seggelmann, the German software developer who wrote the bad line of code spoke to the Sydney Morning Herald:

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features…In one of the new features, unfortunately, I missed validating a variable containing a length.”

After he submitted the code, a reviewer “apparently also didn’t notice the missing validation,” Seggelmann said, “so the error made its way from the development branch into the released version.”

Dr Seggelmann said the error he introduced was “quite trivial,” but acknowledged that its impact was “severe.”

The Globe and Mail