Heartbleed has recently become the most talked about computer bug threatening web security – but it has been around for two years. Why are people just noticing it?
The reason is because it hasn’t always been clear which sites were affected, but, when reports surfaced that popular sites and services like Gmail, Facebook and PayPal were threatened, people started to pay more attention.
Heartbleed preys on OpenSSL servers used to secure communications on a majority of websites – these websites are identified by a ‘lock’ icon or ‘https’ preceding the URL and are considered most vulnerable.
The bug invades computers through phishing emails that prompt users to change their passwords. Users that comply are sent to a website designed to steal login credentials and other confidential information. The reason Heartbleed is so dangerous is because it not only steals current login details but also ones for future online transactions.
It is important to note that most organizations never send a password change request through email. Users that want to change their password are encouraged to do so through a site directly. Security experts also advise users to ensure that a website has released an official statement and taken the necessary protective measures before proceeding with updating passwords on their website – a Heartbleed bug test can be used to check whether websites have been cleared.
According to the CBC, Canada’s national public broadcasting company, a fixed version of OpenSSL was released on April 7 and websites and other services can be secured by using it or by disabling the affected part of the code. The new code then needs to be incorporated and installed into the affected software.
Re/code, an independent tech news site, states that about two-thirds of the world’s web servers are under the OpenSSL encryption which hosts activities like e-mail, chats, online banking, file storage and private networks.
The biggest Heartbleed threat in Canada came on April 14 when the Canada Revenue Agency confirmed that 900 Social Insurance Numbers and other confidential data was stolen by the bug. The CRA shut down its website from April 9 to 13 in order to deal with the security threat which came weeks before the Canadian tax deadline. The agency said in a statement that it is notifying the affected people via registered mail.
Re/code states that websites like Yahoo and Google have already made repairs to services that were recently affected. Facebook, Twitter, YouTube and PayPal remain safe from future threats but users are still encouraged to change passwords.
Technology website Mashable has posted a list of all affected websites.