As you may have heard, there’s a new security vulnerability currently effecting the Internet. It’s a damn big deal, so I wanted to write a quick overview, aimed at non-tech people, to explain what the exploit is, who can be effected, and what the potential impact will be.

Overview

Heartbleed is an exploit that effects secure websites on the Internet. Many sites that use a technology called SSL to keep customer information private and to prevent attackers from intercepting or stealing customer data. Heartbleed is a bug in the most common version of SSL, a library called OpenSSL. It allows attackers to read the memory of the effected website, potentially stealing information about other users who are using the website at the same time. Randall Munroe provides an excellent analogy to help you understand how the attack works in this XKCD comic.

The technical details are beside the point for this post, and are well covered elsewhere, but you can think of it like a hidden window that allows anyone to see what’s going on inside a website’s server, including any data it might be processing at the time.

How bad is it really?

Literally the worst security exploit the Internet has ever seen.

And worse than most people, even a lot of tech folks, realize. This exploit allows an attacker to steal information about the computer that runs a web site and also about every other user using the website at the same time. It also potentially opens up other, more targeted attacks against individual users or specific sites. It is currently undetectable and therefore largely untraceable. It is trivial to pull off. It potentially effects millions of sites.

There is a common assessment matrix, DREAD, used to assess the threat posed by a particular security vulnerability. DREAD is an mnemonic representing Damage, Reproducibility , Exploitability, Affected Users, and Discoverability. Heartbleed is the highest possible rating in all five categories and, for a few of them, is the worst bug to ever effect the web.

What can I do to stay safe?

Assume that any information you send to a website can be seen by an attacker unless and until you get confirmation from the owner of the website that the exploit is fixed. At this point a majority of sites appear to be patched and, thus, safe to use, but you shouldn’t assume that a site is safe until you confirm with the owner. When in doubt, call their customer service or tech support lines and inquire directly about Heartbleed.

DO NOT send any information you wouldn’t want to be known by the entire world to a website unless you have confirmed that the website is fixed.

Please note, this exploit effects sites that use HTTPS to secure traffic (that little lock icon you seen in the address bar of some browsers). It so severely damages the security of these websites that it makes them WORSE than normal, non-secure sites.

I used an effected website before it was patched. How fucked am I?

Unfortunately, it’s impossible to tell. It could be that no one was using the exploit at the time you were using the site. Or that they didn’t happen to read memory containing your private information. Or the server may not have had any of your information in memory at the time the attacker was using the exploit. You might be fine.

Or you might be completely hosed. The attacker might have every piece of information you’ve ever given that website, including SSN, credit card details, addresses, the contents of your middle school diary, etc.

It’s literally impossible to tell, which is part of what makes Heartbleed so insidious.

What now?

As I mentioned, a fix is available for Heartbleed and most site owners are working as fast as they can to patch their systems. Some, however, don’t really understand just how urgent this exploit is. If you don’t know if a website is safe, assume it isn’t until you hear from the site owner that they’ve fixed their systems. Don’t hesitate to call their tech support or customer service numbers. Once a website is once again safe to use, it might be a good idea to change your password.

I have more questions!

There’s tons of good info on the web about the bug. Unfortunately a lot of it is intended for a highly technical audience. If you have questions that you can’t find answers for via Google, feel free to post them to the comments and I’ll try to post non-tech answers to them to the best of my ability.

Update #1 – 2014.4.11

BDaddy in comments makes the excellent point that one way to limit damage from bugs like this is to use a different password for every website. That way, if an attacker manages to get your password for one website, they can’t use it to access your accounts on other websites. There are a number of tools and services that can help with this. I personally like LastPass, but there are a number of other solutions as well.

Additionally, I forgot to mention that it’s probably a good idea to change your passwords for websites that you use after you’ve determined that they’re patched against Heartbleed. I’ve updated the “What now?” section accordingly.

I’ve also updated the “Overview” section with a link to this excellent XKCD comic explaining the attack by analogy.