latest updates from easySERVICE™
This week, security researchers publicized a significant security flaw, named Heartbleed, which could expose the personal information that people plug into websites, like passwords and credit card numbers.
Unlike some past Internet security problems, the solution isn’t as simple as immediately changing a password. And the cause of the security flaw remains confusing to many everyday Internet users.
In an interview, one of the experts offered some insight into Heartbleed and open-source software, and gave suggestions for what consumers should do. Below is an edited transcript of the interview.
What Heartbleed is is a way that an attacker can steal bits of information about that transaction — things you thought were being safeguarded. The attacker can start reading data about a transaction and learn things like your passwords and credit card numbers that you thought were kept confidential.
Because so many people are working on the software, that makes it so it’s less susceptible to problems. For security it’s more important in many ways, because often security is really hard to implement correctly. By having an open source movement around cryptography and SSL, people were able to ensure a lot of basic errors wouldn’t creep into the products.
OpenSSL is an open-source project that’s been around for many years. The code has been developed by many people for many years. Any piece of software is susceptible to vulnerability. I think on the whole it’s still better to use something that’s been vetted by many people for many years. Ultimately the more people who look at it, the more people will find security problems quickly.
The Heartbeat protocol is a sub-part of SSL. Heartbeat is meant to ensure communications are kept alive. So when two people are communicating and there hasn’t been any communication for a while, it keeps the communication line alive for a bit — it keeps a session alive so it doesn’t get taken down. What would typically happen in SSL is the communication would get terminated immediately.
Heartbeat is not the main part of SSL. It’s just one additional feature within SSL. And as an additional feature, it may not get as much scrutiny as the main part itself. So it’s conceivable that nobody looked at that code as carefully because it was not part of the main line.
ve found little issues of it here and there, but there has been no major flaw in how SSL works. I think despite this flaw it is still the best implementation out there. There are going to be some issues with it, but at least the likelihood of an issue with OpenSSL as a whole might be less than another library that might not have been looked at as much.
Q. What should everyone do?
A. There are two things I recommend. There are some sites where you can check if the websites have been upgraded to patch the problem. First check your site to make sure it’s been patched. If it has been patched, then go ahead and log in and change your password. If you change your password and the site hasn’t been patched, then you’re giving a hacker a new password.
But I’d say that the first line would be start with your password and work your way backward from there. Start monitoring credit card statements, and if you see suspicious activity, call the bank.
Source: Associated Press