The Heartbleed bug was discovered on Monday evening by a team of security researchers. To quote one security expert, “Everybody’s been freaking out ever since.”
Heartbleed is not a computer virus, and unlike many cyber security scares it is not limited to a single company or website. Heartbleed is a basic flaw in the security programming that protects roughly half a million different websites, according to one estimate.
It could have implications for an enormous number of people and organizations, most notably the Canada Revenue Agency, which was forced to shut down its electronic tax collection service Wednesday.
But while most large agencies and corporations will be able to address the flaw relatively quickly, the key question is how long other actors in cyberspace may have known about this vulnerability, particularly cyber criminals and national security agencies, and what they’ve already gleaned.
The flaw is in a piece of open source code that is available for anyone and widely used as a way of saving time when programming. The code was written by the open source community, so its precise authorship is unclear.
What happens is that when your computer is communicating with a secure website, it’s asked to send a “heartbeat” of data to confirm the connection.
When that heartbeat is sent, a small amount of the server’s short-term memory, about 64 kilobytes, can leak. While that’s not very much data at one time, and it’s data chosen at random, the action can be repeated over time to gain many fragments of information without being detected. The information that’s typically in a server’s short-term memory is often quite valuable, things such as user names and passwords, according to Eric Skinner, vice-president at Canadian web security firm Trend Micro.
The site might leak what are known as “session cookies,” Mr. Skinner said, which would allow someone to impersonate an unsuspecting victim on a particular site for a short time.It might also leak a site’s SSL private keys, which would allow a sophisticated user to pretend to be that website and fool other computers into believing they had landed in the right place.
“You can pretend to be that server, look like that server, try to trick people to come to that Web page,” Mr. Skinner said. “That is appealing to criminals, to intelligence agencies. They can pretend to be your bank, send you a link, get your login and everything looks legit … It’s usually hard to do that but this makes it potentially easy.”
Is it possible that this flaw was introduced into the open source code deliberately?
Mr. Skinner said it’s possible, but unlikely. It’s not surprising to find bugs in computer systems, he said.
So far, computer experts have found no direct evidence that anyone has managed to use the bug to steal information. But since hundreds of thousands of Web servers use the affected technology, the potential impact is massive.
“It's all about potential,” said Gerry Egan, senior director of product management at Symantec.
“Obviously a lot of large sites, including banks, have been using SSL for years, and some may have been using [the affected software].”
But Mr. Egan said most large companies and websites have the resources to quickly fix the bug – the greater problem lies in smaller sites that don't get around to fixing it.
If users employ the same login information for one of those sites as they do for their online banking account, for example, their security could be compromised regardless of what the bank's IT department does.
“Imagine you had a master key for your front door, your car, your office.” Mr. Egan said. “It's really convenient, but if you lose the key and someone finds it, now you're in trouble.”